wsHttpBinding not working with IIS NT Authentication

Question

I'm trying to host a WCF service with wsHttpBinding on IIS server with Integrated Windows Authentication enabled. But for some reason i'm unable to get this working.

Even the GettingStarted (WCF_WF_CardSpace_Samples\WCF\Basic\GettingStarted) example provided with WCF samples is not working if i enable Windows Authentication.

It would be of great help if anyone can provide me with a sample app or the minimum configuration required at the service and client application to get this working.

Thanks!

Answer 1

Hi,

 First, please provide us with what kind of errors exception you get when you try to use your service.

 --larsw

Answer 2

I'm getting the below error when i try to open the service in web browser.

Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

And because of this i'm unable to add Service Reference in my client app. Below is the configuration of my service (which is default when i create a new WCF service website)

  <system.serviceModel>
    <services>
      <service name="Service" behaviorConfiguration="ServiceBehavior">
        <!-- Service Endpoints -->
        <endpoint address="" binding="wsHttpBinding" contract="IService">
          <!--
              Upon deployment, the following identity element should be removed or replaced to reflect the
              identity under which the deployed service runs.  If removed, WCF will infer an appropriate identity
              automatically.
          -->
          <identity>
            <dns value="localhost"/>
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceBehavior">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

Answer 3

WSHttpBinding will try and perform an internal negotiate at the SSP layer.  In order for this to be successful, you will need to allow anonymous in IIS for the VDir.  WCF will then by default perfrom an SPNEGO for window credentials.  Allowing anonymous at IIS layer is not allowing anyone in, it is deferring to the WCF stack.

Answer 4

We have set        
wsHttpBinding
<binding name="authBinding">
          <security mode="Message">
            <transport clientCredentialType="Windows" />
            <message clientCredentialType="Windows" />
          </security>
        </binding>
And set anonymous (required by wcf) and windows integrated auth (what we want) on virtual directory and set in web.config
    <authentication mode="Windows" />
    <authorization>
      <deny users="*"/>
    </authorization>
but it is not working (we don't get the acces denied), but the server happily servers all the requests.
Is there any way to have  wsHttpBinding without certificates and be able to set (and be used by iis) the authorization tag?
Best regards, Cristian.