locked
wsHttpBinding with Windows Authentication and Message Security RRS feed

  • Question

  • Hello,

    I want to accomplish wsHttpBinding with Windows Authentication and Message Security. I've created a test service and deployed on Windows Server 2008 and IIS 7.5.

    The virtual directory has been assigned a application pool running under custom account domain\username. Only
    Windows Authentication is enabled on the virtual directory ( i DONT want anonymous access enabled).

    I keep getting this error "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."

    Below is my server config file. I've followed  instructions at http://msdn.microsoft.com/en-us/library/ff650619.aspx

     <wsHttpBinding>
            <binding name="NewBinding0">
              <security mode="Message">
                <transport clientCredentialType="Windows"></transport>
              </security>
            </binding>
      </wsHttpBinding>
      
    I tried adding this line also <message negotiateServiceCredential="false" /> by toggling the value. No luck :(

    I've also removed mex binding settings from my config. What i'm missing?

    Should i follow this instructions:
    Setspn —a HTTP/machinename domain\username as my application pool is running under custom domain account.

    Any help & thoughts are appreciated.


    KAV
    Thursday, September 23, 2010 7:50 PM

Answers

  • The same logic applies to basicHttp and wsHttp. You are welcomes to publish your basic http config.

    Think of asp.net forms authentication. IIS allows anonymous but the application will do the authentication instead. The same goes here - WCF will enforce the users to have windows identity.


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    Thursday, September 23, 2010 11:11 PM

All replies

  • configure anonymous auth instead of windows in the iis.

    wcf will take care of not allowing anonymous users to enter. iis settings are relevant for transport level security.


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    Thursday, September 23, 2010 8:14 PM
  • Why is this behavior different from basicHttpBinding, which works purely on Win Auth when Anonymous is disabled.

    If i enable Anonynous, what is the purpose of keeping Win Auth. I'm not sure the rational behind it. Can you please explain. Is there any way to purely configure as Windows in IIS?


    KAV
    Thursday, September 23, 2010 8:19 PM
  • Is the below logic true? and holds what you are saying?

    When using Message layer security(for authenticating client) and the IIS's "anonymous access" is used for authenticate client at transport layer, that why you should allow anonymous access for this scenario.

    And for your question "why the client can still call the service" even if you haven't explicitly supply the windows credentials(via NetworkCredential), that is because the WCF client proxy will use the current security context(from CredentialCache.DefaultNetworkCredential) as the windows authentication identity. For your service, you can printout the obtained client-side identity like this:

     public void DoWork()
        {
          Console.WriteLine(ServiceSecurityContext.Current.WindowsIdentity.Name);
          
        }

    KAV
    Thursday, September 23, 2010 8:29 PM
  • The same logic applies to basicHttp and wsHttp. You are welcomes to publish your basic http config.

    Think of asp.net forms authentication. IIS allows anonymous but the application will do the authentication instead. The same goes here - WCF will enforce the users to have windows identity.


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    Thursday, September 23, 2010 11:11 PM
  • Can you point me toward some documentation which explains that in a format a client could understand? We are looking to get our client to accept wsHttp which we want to use for things like reliable messaging, but their current IT policy prohibits anonymous access in IIS, which is a requirement for wsHttpBinding.

    Thanks

    Gineer


    Gineer
    Wednesday, October 27, 2010 1:18 PM
  • I suggest you download the WCF SDK - it has some good WCF samples:

    http://msdn.microsoft.com/en-us/library/ms751450(VS.90).aspx


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    Wednesday, October 27, 2010 6:00 PM