none
Enable certificate authentication only. Disable anonymous authentication. RRS feed

  • Question

  • I have a web service and am attempting to use Client Certificate Authentication and manage each client using IIS 7.5 One-to-One Mapping. I also want to disable all other methods, including anonymous authentication. My web service is working but only if I also enable Anonymous Authentication (thus negating the certificate portion of authentication altogether).

    I have:
    On server 2008 R2, using IIS 7.5, Anonymous Authentication disabled at the site level.
    Web service's web.config:
    wsHttpBinding security mode = Transport
    transport clientCredentialType = Certificate
    Which results in the following error:
    Exception Details: System.NotSupportedException: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.
     
    I believe the key here is "service" configuration versus the "host" configuration. Is this correct? Do I have a mismatch?
    If I change the "host" configuration, if I change IIS Anonymous Authentication to enabled, then the service comes up as expected.
    Is there a similar setting in the "service" configuration I am supposed to set? Where? What?
     
    If I navigate to my WSDL, I find this:
    <wsp:ExactlyOne>
    <wsp:All>
    <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     
    And in an attempt to find if that xmlsoap securitypolicy is appropriate for Transport security (certificates), I find this:
    https://msdn.microsoft.com/en-us/library/aa702746(v=vs.110).aspx  which lists several policies to choose from.
     
    Do I need to add an additional security policy and/or remove a policy to the WSDL so that I can enable Certificate Authentication and disable Anonymous Authentication?

    How do I set only Certificate Authentication for my web service?

    Thank you!
    Tuesday, October 6, 2015 9:18 PM

Answers

  • The key to solving this was to enable anonymous authentication but to restrict authorization. Also key was the two changes made within applicationHost.config.

    Here are a summary of the settings required.

    IIS Site settings in INETMGR.exe

    Authentication

    Anonymous Authentication = Enabled (all others Disabled)

    Authorization Rules

    Mode Deny, Users = All Anonymous Users

    Mode Allow, Specified Roles or User Groups = (my Group containing my service users)

    SSL Settings

    Require SSL, checked

    Client Certificates, Require

    Management - Configuration Editor

    Section: system.webServer/security/authentication/iisClientCertificateMappingAuthentication

    From: ApplicationHost.config <location path='(myService)' />

    oneToOneCertificatemappingsEnabled = True

    oneToOneMappings = (Count=some number based on client entries) mappings include the x.509 blob for each client

    web.config - three sections of concern

    <system.serviceModel>

        <behaviors> <bindings> <wsHttpBinding> <binding name="….

              <security mode="Transport">

                <transport clientCredentialType="Certificate" />

    <system.web>

        <identity impersonate="false" /> <!-- change to false -->

        <authentication mode="Windows" /> <!-- https://msdn.microsoft.com/en-us/library/system.web.configuration.authenticationmode(v=vs.110).aspx -->

      <system.webServer>

            <security>

                <authentication>

                    <anonymousAuthentication enabled="true" userName="IUSR" />

                </authentication>

                <authorization>

                    <remove users="*" roles="" verbs="" />

                    <add accessType="Allow" users="" roles="(my Group containing my service users)" /> <!-- manually added: users="" -->

                    <add accessType="Deny" users="?" />

                </authorization>

            </security>

    applicationHost.config - two sections of concern

    <configuration>

         <configSections>

           <sectionGroup name="system.webServer">

                <sectionGroup name="security">

                    <sectionGroup name="authentication">

                        <section name="anonymousAuthentication" overrideModeDefault="Allow" /> <!-- change from Deny -->

        <location path="" overrideMode="Allow">

            <system.webServer>

            <modules>

                <add name="AnonymousAuthenticationModule" lockItem="false" /> <!-- change from true -->

            </modules>

            </system.webServer>

        </location>

    • Marked as answer by JRyan501 Tuesday, October 27, 2015 8:12 PM
    Tuesday, October 27, 2015 8:12 PM

All replies

  • Hi,

    Please make sure that you set https binding for the site and install certificate successfully. For more information, please refer to the sample:

    https://msdn.microsoft.com/en-us/library/ff650785.aspx

    http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, October 7, 2015 8:34 AM
  • Thank you for helping, Pengzhen.
    My web service in IIS 7.5 is bound to port 443 and is using a SSL certificate. Also, in Configuration Editor I have client certificate mapping properly configured. The SSL certificate and certificate chain, and the client x.509 certificates are installed properly.
    My WSHttpBinding is configured as mentioned previously (Transport and Certificate) and with the guide found here: https://msdn.microsoft.com/en-us/library/ms731074(v=vs.110).aspx
    The problem seems to be that my web service itself is configured somewhere to require anonymous authentication. The host, my IIS settings and my web.config, seem to be good for certificates.
    Any help finding where to disable anonymous authentication in my web service is appreciated.
    Wednesday, October 7, 2015 4:48 PM
  • Hi,

    You can add the following setting in the web.config of the web service:

     <system.webServer>
          <security>
             <authentication>
                <anonymousAuthentication enabled="false" />
               xxxxxx
              </authentication>
          </security>
       </system.webServer>
    

    • Proposed as answer by Grady_DongModerator Monday, October 19, 2015 5:18 AM
    • Marked as answer by Grady_DongModerator Thursday, October 22, 2015 2:27 AM
    • Unmarked as answer by JRyan501 Tuesday, October 27, 2015 8:08 PM
    • Unproposed as answer by JRyan501 Tuesday, October 27, 2015 8:08 PM
    Friday, October 16, 2015 9:16 AM
    Moderator
  • Thank you for your reply Tracy. It turns out that item should be "true". Please see my final findings. Thanks.
    Tuesday, October 27, 2015 8:10 PM
  • The key to solving this was to enable anonymous authentication but to restrict authorization. Also key was the two changes made within applicationHost.config.

    Here are a summary of the settings required.

    IIS Site settings in INETMGR.exe

    Authentication

    Anonymous Authentication = Enabled (all others Disabled)

    Authorization Rules

    Mode Deny, Users = All Anonymous Users

    Mode Allow, Specified Roles or User Groups = (my Group containing my service users)

    SSL Settings

    Require SSL, checked

    Client Certificates, Require

    Management - Configuration Editor

    Section: system.webServer/security/authentication/iisClientCertificateMappingAuthentication

    From: ApplicationHost.config <location path='(myService)' />

    oneToOneCertificatemappingsEnabled = True

    oneToOneMappings = (Count=some number based on client entries) mappings include the x.509 blob for each client

    web.config - three sections of concern

    <system.serviceModel>

        <behaviors> <bindings> <wsHttpBinding> <binding name="….

              <security mode="Transport">

                <transport clientCredentialType="Certificate" />

    <system.web>

        <identity impersonate="false" /> <!-- change to false -->

        <authentication mode="Windows" /> <!-- https://msdn.microsoft.com/en-us/library/system.web.configuration.authenticationmode(v=vs.110).aspx -->

      <system.webServer>

            <security>

                <authentication>

                    <anonymousAuthentication enabled="true" userName="IUSR" />

                </authentication>

                <authorization>

                    <remove users="*" roles="" verbs="" />

                    <add accessType="Allow" users="" roles="(my Group containing my service users)" /> <!-- manually added: users="" -->

                    <add accessType="Deny" users="?" />

                </authorization>

            </security>

    applicationHost.config - two sections of concern

    <configuration>

         <configSections>

           <sectionGroup name="system.webServer">

                <sectionGroup name="security">

                    <sectionGroup name="authentication">

                        <section name="anonymousAuthentication" overrideModeDefault="Allow" /> <!-- change from Deny -->

        <location path="" overrideMode="Allow">

            <system.webServer>

            <modules>

                <add name="AnonymousAuthenticationModule" lockItem="false" /> <!-- change from true -->

            </modules>

            </system.webServer>

        </location>

    • Marked as answer by JRyan501 Tuesday, October 27, 2015 8:12 PM
    Tuesday, October 27, 2015 8:12 PM