none
WCF Basic Http Binding - Two server requests per method call

    Question

  • We have a service that uses BasicHttpBinding/Transport Security/Windows Authentication and is hosted in IIS. I have created a unit-test application in VSTS and whenever we test a WCF method, Fiddler records two calls.

    1st call - No authorization token is sent. The WCF service returns a 401 error - Unauthorized: Access is denied. Http headers as sent in the request given below.

    POST http://localhost/AccountScreen.svc HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "IAccountScreen/RetrieveAccountDetails"
    Host: localhost
    Content-Length: 243
    Expect: 100-continue
    Connection: Keep-Alive

    2nd call - Authorization token is sent and the WCF service returns the expected response.

    POST http://localhost/AccountScreen.svc HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "IAccountScreen/RetrieveAccountDetails"
    Authorization: Negotiate
    Host: localhost
    Content-Length: 243
    Expect: 100-continue

    I am not able to figure out why there are two calls made to the server in the first place and what is the significance of the first call. Any thoughts?
    Monday, February 22, 2010 2:53 PM

Answers

  • Hi Nishant,
    This is the standard way in which authentication takes place. Whenever you request a resource from the server (say using a browser) your client (in this case your browser) does not send the credentials the first time becuase it doesn't know if the resource it is trying to access on the server is secured or not. When your request reached the server (IIS) it determines that OK this resource is secure so lets ask for some credentials from the client. This is the www-Authenticate header sent by the server to your client (which also lists the auth modes in which the client can authenticate itself - basic, digest, negotiate ...). This prompts the client to send the credentials in the authorization header. Hence the two calls. This is not specific to WCF but any client-server communication. You can more details on this - http://www.owasp.org/index.php/Authentication_In_IIS
    Thanks.
    - Piyush
    • Marked as answer by nishanttheone Monday, February 22, 2010 6:32 PM
    Monday, February 22, 2010 4:54 PM