none
WCF Service hosted in IIS 7 using basicHttpBinding and TransportCredentialOnly fails RRS feed

  • Question

  • I am trying to configure a basic IIS 7 hosted WCF service that uses Windows Authentication to authorize users. I have seen many examples that demonstrate how to flow credentials using basicHttpBinding with  <security mode="TransportCredentialOnly"> and SSL. However, when I configure my service to use TransportCredentialOnly, I get the following error if I try to view the svc file in IE:

    Could not find a base address that matches scheme http for the endpoint with binding BasicHttpBinding. Registered base address schemes are [https].

    I am hosting in IIS 7. SSL is configured with a valid certificate. Windows Authentication is enabled. Anonymous authentication is disabled. Application pool is ASP.Net v4.0 running under the ApplicationPoolIdentity

    Here is the config file for my service:

    <?xml version="1.0"?>
    <configuration>
      <system.web>
        <compilation debug="true" targetFramework="4.0" />
        <authentication mode="Windows" />
        <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
        </roleManager>
      </system.web>
      <system.serviceModel>
        <behaviors>
          <serviceBehaviors>
            <behavior name="svcTest" >
              <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"  />
              <serviceDebug includeExceptionDetailInFaults="true" httpsHelpPageEnabled="true" httpHelpPageEnabled="false" />
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <bindings>
          <basicHttpBinding>
            <binding name="BasicHttpEndpointBinding">
              <security  mode="TransportCredentialOnly">
                <transport clientCredentialType="Windows"/>
              </security>
            </binding>
          </basicHttpBinding>
        </bindings>
        <services>
          <service name="WCF_Test.Service1" behaviorConfiguration="svcTest">
            <endpoint name ="Service1Endpoint"
                      address="EndpointTest"
                      binding="basicHttpBinding"
                      bindingConfiguration="BasicHttpEndpointBinding"
                      contract="WCF_Test.IService1">
            </endpoint>
          </service>
        </services>
        <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
      </system.serviceModel>
      <system.webServer>
        <modules runAllManagedModulesForAllRequests="true"/>
      </system.webServer>
    </configuration>

    If I change the binding to use Transport instead of TransportCredentialOnly then I am able to view my service file in IE. I can then create a proxy to my web client and call a method on the service from my client and attempt to authorize the user from the service method using this code:

    if(System.Web.Security.Roles.IsUserInRole(@"Admins"))

    This code does not work because it uses the identity of the account running IIS on the server (IIS APPPOOL\ASP.NET v4.0) and not that of the user calling the web service from a web page.

    1. How do I configure IIS 7 with a valid SSL certificate to use basicHttpBinding with security mode="TransportCredentialOnly"?

    2. How do I flow my users Windows credentials client to the web service so I can authorize users on the web service using this code?

      [PrincipalPermission(SecurityAction.Demand, Role = "Admins")]

    or this code

    if(System.Web.Security.Roles.IsUserInRole(@"Admins"))

    Any help would be greatly appreciated.

    Thank You

    Wednesday, February 6, 2013 9:54 PM

All replies