Can IIS-hosted WCF service be configured for BOTH Windows Auth and Anonymous?

Question

I've got a small WCF webservice working with the built-in WCF Service Host and with hosting by the Visual Studio 2008 built-in development webserver.

I these hosting enviroments I have relied on the WCF Test Client for invoking the service methods.

Now I am running into problems with my next phase of testing:

I have it hosted in IIS 5.1 on my WinXP dev machine and I think maybe the problem is I cannot continue to use WCF Test Client anymore. Here is what's happening:

Case 1: "Anonymous Access" is CHECKED (ENABLED)

WCF Test Client UI comes up properly, exposing the WebMethods and the INVOKE button. Yet when I click INVOKE it fails to connect with a backend data store (a 3rd party product) that requires Windows authentication. I could post the error I get back from the product.DLL but I don't think it is relevant.

Case 2: "Anonymous Access" is un-CHECKED (DISABLED)

WCF Test Client UI fails to even initialize properly. My researching of this tells me that MEX (WS-Metadata Exchange) requires "Anonymous Access" and (apparently) WCF Test Client requires MEX. Here are key snippets of the error being returned:

Error: Cannot obtain Metadata from http://localhost/wcfiishost
The remote server returned an error: (401) Unauthorized.HTTP GET Error
URI: http://localhost/wcfiishost    
There was an error downloading 'http://localhost/wcfiishost'.    
The request failed with the error message:
Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service

The are lots of explanations of binding options, message security, etc. and stuff I honestly do not understand. Here is my take on where I am but I would love your opinions:

(a) Because I know my WCF webservice MUST be configured to use Windows Authentication, I conclude I cannot continue to use the WCF Test Client when hosting my service in IIS. That it has effectively outlived it's usefulness to me. I will just have to take the time to write a web client because WCFTestClient won't work without Anonymous.

(or)

(b) It is possible to use WCF Test Client if it and the hosted service are configured propertly (I just don't know what the special configuration techniques are for this).

Which is correct? Time to stop using WCFTestClient or is there a way to have it both ways? Thanks in advance for your advice.

EDIT: 11 June 09

Is there anything else I can provide to help someone else help me on this question?

Answer 1

Hi John,

I just tried to have the same setup - but in my case, everything seems to work just fine.

• ASP.NET web site
• WCF service, using basicHttpBinding without any special settings at all
• IIS Application with anonymous = enabled and Windows authentication = enabled (both turned on)

I can easily connect to it with the WcfTestClient and retrieve the metadata, and I can then call it, no problem.

Inside my service function, I check to see whether the current user is a known user or not, it is correctly identified as a Windows authenticated user:

    ServiceSecurityContext ssc = ServiceSecurityContext.Current;

    if (ssc.IsAnonymous)
    {
        return "anonymous user";
    }
    else
    {
        if(ssc.WindowsIdentity != null)
        {
            return ssc.WindowsIdentity.Name;
        }

        if (ssc.PrimaryIdentity != null)
        {
            return ssc.PrimaryIdentity.Name;
        }
    }

    return "(no known user)";

I don't really know, what more to check for (except I'm on Vista with IIS7). Any chance you could include this code to check for the user in your service code? Just to see....

Marc

Answer 2

Marc, your setup is not even close to Johns.

John uses WSHttpBinding that uses Windows Credentials for Message mode transport. The Windows Authentication isn't being used with BasicHttpBinding. Furthermore, John had AnonymousAuthentication disabled, which is why the Metadata Exchange (mex) is failing.

The call won't even reach inside the service side function, because we get a Error 401 (Unauthorized) when we try to call.

Just know John, I have the same issue, and I'm trying to somehow set up separate bindings per endpoint. Hopefully that will work.

Answer 3

When I set the title/subject of this question and reached a dead end here, I opened up the same issue in the MSDN forum with a different emphasis on the title (content of question essentially the same).

For me, the real issue was how to use WCFTestClient in IIS without Anonymous Authentication being set (because my service needed Integrated Windows Authentication only).

Mex apparently requires Anonymous and by default WCFTestClient seems to need Mex. The key seems to be accomodating both my doctoring up the web.config file carefully.

Anyway, I got it working with this web.config below (the MSDN link is here:

<?xml version="1.0"?>
<configuration>

            <endpoint address="" 
                        binding="wsHttpBinding"
                        bindingConfiguration="wsBindingConfig"
                        contract="sdkTrimFileServiceWCF.IFileService">

                                 <identity>
                                    <dns value="localhost" />
                                 </identity>
            </endpoint>

            <endpoint address="basic" 
                        binding="basicHttpBinding"
                        bindingConfiguration="bindingConfig" 
                        contract="sdkTrimFileServiceWCF.IFileService" />
        </service>
    </services>

    <bindings>
        <basicHttpBinding>
            <binding name="bindingConfig">
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows"/>
                </security>
            </binding>
        </basicHttpBinding>

        <wsHttpBinding>
            <binding name="wsBindingConfig">
                <security mode="Transport">
                    <transport clientCredentialType="Windows"/>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>

        </serviceBehaviors>
    </behaviors>