Why is Anonymous Access Required to Host WCF in IIS?

Question

I've read through various posts trying to understand why the virtual directory that hosts the .svc file must be set to anonymous and I have not found any concrete answers.

One post suggested that WCF does all of the authentication itself, which makes perfect sense, but I want to make sure I understand the implications of IIS hosting with anonymous enabled. What this would mean to me is that when using Windows authentication on client and server, IIS authentication is taken out of the picture completely?

If so, then how does the WindowsPrincipal get passed/set from the client to the service?

I understand that enabling ASPNET compat is an option, but this isn't something I want to do.

TIA,

Rick

Answer 1

This post by Wenlong Dong should explain the relation between WCF and IIS wrt authentication and also how to get the identity of the caller: http://blogs.msdn.com/wenlong/archive/2006/12/01/impersonation-with-double-identities.aspx

The IIS "directory security" settings only related to transport level security (authentication). If you use message level security mode and authentication, WCF will at startup check that the IIS settings are not conflicting with the WCF config when activating the host. You can then get either "anonymous must be enabled" (non-transport credentials) or "must be turned off" (transport credentials).

KjellSJ

Answer 2

Hi Rick, it is not true that you have to enable anonymous in order to host WCF in IIS. There are some restrictions when you configure bindings though. The basic principle is that: the settings for the WCF binding should be compatible with IIS settings. This means that if you want to enable transport layer authentication in the binding, you have to do so to the virtual application in IIS. For example, when you use BasicHttpBinding, you can enable the transport layer auth by setting the security Mode to "TransportCredentialOnly". You can disable IIS anonymous auth in this case.

However, there is one special case: if you are using WSHttpBinding over HTTP instead of HTTPS, you would have to enable anonymous in IIS. This is because none of the security modes for WSHttpBinding allows you to configure transport-layer authentication over HTTP, which has been implemented in BasicHttpBinding. Of course, you can solve this by using either BasicHttpBinding or CustomBinding. This is not a limitation. Instead it tries to reduce confusion since you would use either SSL (as transport layer security) or message security with WSHttpBinding.

 

Answer 3

Thank you, I think there was an error in my binding that was causing the problem. I will test and confirm.

Answer 4

 

Hello,

 

I have found this post on which I am interresting in becasue I ma in such sictuation where I have a WCF service whihc is host under IIS as (WAS) and use with netTcpBinding.

I have noticed that I can reach my service only if Anomymous is Enabel on IIS, I can I remove this Anonimous fro my case ?

 

My config file is as follow from server side :

 

Code Block

   
   
       
         
           
           
         
       
     

   

 

 

Then from client side

 

Code Block

<netTcpBinding>
        <binding name="NetTcpBinding_IAlarm" >
          <security mode="Transport">
            <transport clientCredentialType="Windows"/>
          </security>
        </binding>
      </netTcpBinding>

 

 

Thanks for your help

 

regards

serge

Answer 5

This would mean that SSL is used, right?

 

allan