wsHttpBinding IIS Integrated Windows Authentication set up not working

Question

My WCF sercive is hosted on a Windows 2003 Server through IIS. I hvae installed a certificate on the server. The directory security for my virtual directory requires SSL (128 bit encryption not required), ignores certificates and uses 'Integrated Windows Authentication'

Here is my web.config

<?xml version="1.0"?><configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">  <system.serviceModel> 
    <services>
      <service behaviorConfiguration="credentialConfig" name="WCF.Server.FileTransfer.Services.FileTransfer" >
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpBindingForFileTransfer" contract="WCF.Server.FileTransfer.Contracts.IFileTransfer"/>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpBindingForFileTransfer">
          <security mode="Transport">
            <transport clientCredentialType="Windows"/>
          </security>
        </binding>
      </wsHttpBinding>    
    </bindings>   
    <behaviors>
      <serviceBehaviors>
        <behavior name="credentialConfig">
          <serviceCredentials>
            <windowsAuthentication allowAnonymousLogons="false" includeWindowsGroups="true"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>     
    </behaviors>
  </system.serviceModel>  <system.web>
    <compilation debug="true"/>
    <customErrors mode="Off"/>
  </system.web> 
</configuration>

Here is my client app.config

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.serviceModel>
    <behaviors>     
      <endpointBehaviors>
        <behavior name="credentialConfiguration">         
          <clientCredentials>
            <windows/>           
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_IFileTransfer">
          <security mode="Transport">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="https://x.x.x.x/FileTransfer/FileTransfer.svc"
                behaviorConfiguration="credentialConfiguration"
                binding="wsHttpBinding"
                bindingConfiguration="WSHttpBinding_IFileTransfer"
                contract="WCF.Server.FileTransfer.Contracts.IFileTransfer"
                name="wshttpEndpoint" />
    </client>
  </system.serviceModel></configuration>

I was getting 'HTTP request is forbidden due to client authentication scheme 'Anonymous'. Now I get

"An error occurred while making the HTTP request. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server."

 

Answer 1

You need to use SSL for transport security.

You can use security mode as message and enable integrated auth on the website. Also enable anonymous auth on the website.

      <wsHttpBinding>
        <!--
        The default security for the WSHttpBinding is Message security using Windows authentication.
        This configuration explicitly defines the security mode as Message and
        the clientCredentialType as Windows for demonstration purposes.
        -->
        <binding name="Binding1">
          <security mode="Message">
            <message clientCredentialType="Windows"/>
          </security>
        </binding>
      </wsHttpBinding>

Check the security sample in SDK http://msdn2.microsoft.com/en-us/library/ms752237.aspx

Answer 2

It seems like you might not have set up http.sys with the correct certificate.

Something like the following is needed where :xx is the port # and the number after -h is the thumbprint of the cert.

    httpcfg set ssl -I 0.0.0.0:90 -f 2 -h a586fc83bd30d288d2c08067c03ca51258c94e32

Look for a return of :

    HttpSetServiceConfiguration completed with 0.

Answer 3

I ran the httpcfg command on the server (and got the expected return of HttpSetServiceConfiguration completed with 0).

httpcfg set ssl -i x.x.x.x:443 -f 2 -h thumbprint

I continue to get the error. "An error occurred...This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server."

I have even tried using basicHttpBinding. Doesn't work.

I have also tried exporting the server certificate onto the client machine and installing it in Personal as well as Trusted Root Cert.

I have also tried enabling client certificate mapping on the server specifying the cert and client username password.

 

Answer 4

This is the binding that you need to pass on the windows credentials. I have tested the transport security sample with the SDK and setup SSL on IIS.
Make sure that your cert can be trusted by the process, this snippet below in the sample helps you to do that.

    PermissiveCertificatePolicy.Enact("CN=ServiceModelSamples-HTTPS-Server");

The sample explains how you can do it  http://msdn2.microsoft.com/en-us/library/ms751427.aspx

The binidng you need requies transport credentials as none cause the SSL IIS and the url of https will handle that from the client and the service, your security mode would be TransportWithMessageCredential. Make sure that the client also has the same binding. Check the certificate that you have set on IIS. The sample has the setup script to add the certificate and set the certificate on the SSL settings in IIS on the main website in IIS < 7 and on IIS 7 you have to set it by editing the bindings on the web site that will enable you to set the SSL certificate.

   

<services>
      <service
          name="Microsoft.ServiceModel.Samples.CalculatorService"
          behaviorConfiguration="CalculatorServiceBehavior">
        <!-- this endpoint is exposed at the base address provided by host: https://localhost/servicemodelsamples/service.svc  -->
        <endpoint address=""
                  binding="wsHttpBinding"
                  bindingConfiguration="Binding1"
                  contract="Microsoft.ServiceModel.Samples.ICalculator" />
      </service>
    </services>

    <bindings>
      <wsHttpBinding>
        <!-- configure wsHttp binding with Transport security mode
                   and clientCredentialType as None -->
        <binding name="Binding1">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="Windows"/>
            <transport clientCredentialType="None"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>

I have uploaded 2 samples, do check

http://blogs.msdn.com/sajay/archive/2006/12/30/transportwithmessagecredentials-i-need-to-know-who-s-knocking-on-my-door.aspx

Let me know if this helps.

Answer 5

Hi Sajay

I tried the binding but I continue to get the same error. "An error occurred while making the HTTP request to https://x.x.x.x/FileTransfer/FileTransfer.svc. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server."

My web.config is as follows:

<?xml version="1.0"?><configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">

<system.serviceModel> 
    <services>
      <service behaviorConfiguration="credentialConfig" name="WCF.Server.FileTransfer.Services.FileTransfer" >
        <endpoint address=""
                  binding="wsHttpBinding"
                  bindingConfiguration="wsHttpBindingForFileTransfer"
                  contract="WCF.Server.FileTransfer.Contracts.IFileTransfer"/>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpBindingForFileTransfer">
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="None"/>
            <message clientCredentialType="Windows"/>
          </security>
        </binding>
      </wsHttpBinding>    
    </bindings>   
    <behaviors>
      <serviceBehaviors>
        <behavior name="credentialConfig">
          <serviceDebug includeExceptionDetailInFaults="true"/>
        </behavior>
      </serviceBehaviors>     
    </behaviors>
  </system.serviceModel>  <system.web>
    <compilation debug="true"/>
    <customErrors mode="Off"/>
  </system.web> 
</configuration>

My client app.config is as follows:

<?xml version="1.0" encoding="utf-8" ?>

<configuration>

<system.serviceModel>

<bindings>

<wsHttpBinding>

<binding name="wsHttpBinding_IFileTransfer">

<security mode="TransportWithMessageCredential">

<message clientCredentialType="Windows"/>

<transport clientCredentialType="None"/>

</security>

</binding>

</wsHttpBinding>

</bindings>

<client>

<endpoint address=https://x.x.x.x/FileTransfer/FileTransfer.svc

bindingConfiguration="wsHttpBinding_IFileTransfer"

binding="wsHttpBinding"

contract="WCF.Server.FileTransfer.Contracts.IFileTransfer"

name="FileTransferEndpoint" />

</client>

</system.serviceModel>

</configuration>

 

The client does not use a proxy. See client code:

try

{

PermissiveCertificatePolicy.Enact("CN=ABCDEF");

IFileTransfer svc = null;

using (ChannelFactory<IFileTransfer> httpFactory

= new ChannelFactory<IFileTransfer>("FileTransferEndpoint"))

{

svc = httpFactory.CreateChannel();

FileTransferObject fo = svc.GetID();

StringBuilder s = new StringBuilder();

s.Append(textBox1.Text);

s.AppendLine();

s.Append(fo.ID.ToString());

textBox1.Text = s.ToString();

}

}

catch (Exception ex)

{

textBox1.Text = ex.Message;

}

 

The certificate I used was generated using IIS 6.0 Resource Tools's SelfSSL utility. The virtual dir I am using shows the certificate as installed. I even installed the certificate on the client machine in Trusted Root Certificates. I even ran the httpcfg.exe to set up the certificate in http.sys. If I run "httpcfg query ssl", I get 2 entries back; one with my server's ip add port 443 and the certificate's thumbprint

FYI, IIS has only 'Windows Authentication' checked, 'Anonymous' is unchecked. SSL required is checked. No client cert mapping is done.

 

 

Answer 6

I deleted the certificate I had installed on the server and client using IIS 6.0 Resource Tools' SelfSSL utility. I ran the cleanup.bat and setup.bat and my server now has the ServiceModelSamples-HTTPS-Server certificate. I installed this certificate on the server as well as on the client machine in 'Trusted Root Cert Authorities'

I continued to get the error mentioned in my previous post. I then ran the following command:

httpcfg set ssl /i x.x.x.x:443 /h thumbprint (ran with error code 0)

Now i get tge following error:

The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.

IIS Settings continue to be as follows:

Vir Dir has anonymous unchecked and only Windows auth checked. SSL is required, 128bit encryption is not required, client certs are ignored, there is no client cert mapping

Answer 7

I got it to work!!!

I checked 'Anonymous Access' and unchecked 'Windows Authentication' on my virtual directory. That did it!

Thanks much for your help, fellas!!!

Answer 8

Hi,

If a service needs Windows Authentication, Uncheck the AnonymousAccess and check the Integrated Windows Security, Service is throwing an Exception, How do we resolve this issue. Also, i need to provide Windows Authentication in Service using  the Configuration files only and not using Code.

Answer 9

Have a look here: http://dkturner.blogspot.com/2007/12/wcf-services-alongside-legacy-asmx.html

 

This is how I got WCF to work side-by-side with existing asmx services hosted on IIS 6 on a Win2k3 box.  Transaction flow and authentication (Ntlm auth in my particular case, but it should work just fine for Kerberos too) are achieved without using SSL.