Integrated Windows Authentication in WCF on IIS 6.0

Question

I need to implement Integrated Windows Authentication for a WCF service hosted on IIS 6.0 (Windows Server 2003) without certificates. The requirement is to simply authenticate Windows Credentials of users within a particular Active Directory group when they hit the service. The Framework version being used is 3.0.

WCF Configuration:

The following is the "bindings" portion of the web.config file for the service:

<bindings>
<basicHttpBinding>
<binding name="Binding1">
 <security mode="TransportCredentialOnly">
 <transport clientCredentialType="Windows" />
 </security>
</binding>
</basicHttpBinding>

</bindings>

There is no "mex" endpoint.

Even though the virtual directory's as well as the .svc file's security settings have "Integrated Windows Authentication" selected in IIS, the following error occurs when the .svc file is navigated to:

Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service.

The following are the other details of the hosting of the service:

• The service runs under a separate App Pool
• The App Pool is running under a separate privileged account configured under the "Identity" tab of the App Pool.

I have seen numerous other questions along these lines, but none of the fixes actually rectifies this problem. Your inputs would be greatly appreciated.

Answer 1

Make sure you did uncheck "Enable anonymous access".

Maybe you can try forcing NTML Authentication if any of these apply to your case

• you isolate Web sites on a virtual directory level by configuring worker process identities as different domain accounts.

• you are using Integrated Windows authentication, are not using a WINS or DNS name for the server running IIS, and you want to use a local user account or the LocalService account as a worker process identity.

see: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/524404dc-8586-46b0-89ac-0f5db6d33c9c.mspx?mfr=true

Answer 2

From my experience with WCF it's quite tough to get everything configured correctly - alot of trial and error! I did however find the following link extrememly useful as it provides checklists for different scenarios: CodePlex - WCF Security Guide and the main WCF section: WCF Security.

I went through the checklist for my application scenario and the issues were ironed out. Hope that helps!

Answer 3

After some digging, I finally discovered that this works if you change "Windows" to "Ntlm". I never could get it to work with Kerberos but you mention not wanting to use certificates anyway.

If you're still having trouble, you might look at what's in the IIS metabase for the site in question under NTAuthenticationProviders. If you want to use only Ntlm, you'll need to set that string to just "NTLM", and you'll need to make sure it says "Ntlm" not "Windows" in your transport clientCredentialType or you'll get the exception you quoted in your original post.

Conversely, if anyone is experiencing this error and they WANT to use Kerberos certificates if available, they should check to see if the metabase NTAuthenticationProviders says "Negotiate,NTLM". This is the default, but is mysteriously different for me on a VM on which I was trying to run a WCF service today (which ultimately brought me to this thread!)