none
WCF Service - The HTTP request was forbidden with client authentication scheme 'Anonymous'

    Question

  • I have hosted a new WCF Service within IIS 7.5 that appears to work except when I:

    Turn the IIS "Required SSL (client certificates - ignore)" option on for the web site.

    That results in the "The HTTP Request was forbidden..." request failures.

    The WCF Service appears to work with SSL, but I wish a block any "non-SSL" http requests

    Some Important configurations:

    1. Supports Dual security with a production (signed) certificate:

    <binding="wsHttpBinding"> 

    <security mode="TransportWithMessageCredential">

    <message clientCredentialType="UserName" />

    2. XSD Validation

    <

     

    extensions><behaviorExtensions><add name="SchemaValidator" type="SigmaSchemaValidations.ProspectCustomBehaviorSection, SigmaSchemaValidations, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /></behaviorExtensions></extensions>

    3. Important service configurations:

    <

     

    serviceBehaviors><behavior name="CustomValidator"><serviceDebug includeExceptionDetailInFaults="false" /><serviceMetadata httpsGetEnabled="true" /><serviceCredentials><serviceCertificate findValue="xxxxxx.xxxxx.com" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /><userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="SigmaProspectValidator.UserNamePasswordValidator,SigmaProspectService" /></serviceCredentials></behavior></serviceBehaviors>

    <

     

    service behaviorConfiguration="CustomValidator" name="SigmaProspectService.ProspectService"><endpoint address="https://localhost/services/V5/prospect.svc" listenUri="" behaviorConfiguration="XSDValidatorBehavior"binding="wsHttpBinding" bindingConfiguration="wsHttpUNmMsg"name="SigmaProspectUNm" contract="SigmaProspectService.IProspect" /><endpoint address="mex" binding="mexHttpsBinding" name="mex" contract="IMetadataExchange" /><host><baseAddresses><add baseAddress="https://localhost/services/V5"/></baseAddresses></host></service>

    Tuesday, March 01, 2011 2:59 PM

Answers

  • Also; The Anonymous User Account is active & I've found some suggestions that the mex endpoint may need to be re-configure for SSL:

    <endpoint address="mex" binding="wsHttpsBinding"

    name="MetadataBinding" contract="IMetadataExchange" bindingConfiguration="CertificateWithTransport"/>

    For more info see:

    http://msdn.microsoft.com/en-us/library/aa395212.aspx

    (Custom Secure Metadata Endpoint)


    Ok, It appears that my issue relates to using an unsecured mex endpoint with a secured service endpoint. 

    However; to secure the mex endpoint & still allow the client to consume the service metadata; it appears the client needs to do additional work & may require a client-side certificate.

    Is there a way to expose a secure mex endpoint without requiring extra work from the client?  My consumers may object to any additional work.

    I quess; I could:

    1. Leave the Mex endpoint unsecure.

    2. Allow the client to consume the service's metadata.

    3. Disable the Mex endpoint.

    4. Turn the IIS "Required SSL (client certificates - ignore)" option on

    I assume the service will still work but the metadata will not be "re-consumable" until the Mex endpoint is re-enable.

     

    • Marked as answer by Biker Keith Tuesday, March 15, 2011 5:00 PM
    Tuesday, March 01, 2011 3:56 PM
  • Hello, in most cases you can leave the mex endpoint unsecured. The client won't be able to invoke your actual service if they're not authenticated. They can only generate a proxy.
    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    Windows Azure Technical Forum Support Team Blog
    • Marked as answer by Yi-Lun Luo Monday, March 07, 2011 9:09 AM
    Wednesday, March 02, 2011 3:11 AM

All replies

  • Also; The Anonymous User Account is active & I've found some suggestions that the mex endpoint may need to be re-configure for SSL:

    <endpoint address="mex" binding="wsHttpsBinding"

    name="MetadataBinding" contract="IMetadataExchange" bindingConfiguration="CertificateWithTransport"/>

    For more info see:

    http://msdn.microsoft.com/en-us/library/aa395212.aspx

    (Custom Secure Metadata Endpoint)


    Ok, It appears that my issue relates to using an unsecured mex endpoint with a secured service endpoint. 

    However; to secure the mex endpoint & still allow the client to consume the service metadata; it appears the client needs to do additional work & may require a client-side certificate.

    Is there a way to expose a secure mex endpoint without requiring extra work from the client?  My consumers may object to any additional work.

    I quess; I could:

    1. Leave the Mex endpoint unsecure.

    2. Allow the client to consume the service's metadata.

    3. Disable the Mex endpoint.

    4. Turn the IIS "Required SSL (client certificates - ignore)" option on

    I assume the service will still work but the metadata will not be "re-consumable" until the Mex endpoint is re-enable.

     

    • Marked as answer by Biker Keith Tuesday, March 15, 2011 5:00 PM
    Tuesday, March 01, 2011 3:56 PM
  • Hello, in most cases you can leave the mex endpoint unsecured. The client won't be able to invoke your actual service if they're not authenticated. They can only generate a proxy.
    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    Windows Azure Technical Forum Support Team Blog
    • Marked as answer by Yi-Lun Luo Monday, March 07, 2011 9:09 AM
    Wednesday, March 02, 2011 3:11 AM