none
wsHttpBinding not working with IIS NT Authentication RRS feed

  • Question

  • I'm trying to host a WCF service with wsHttpBinding on IIS server with Integrated Windows Authentication enabled. But for some reason i'm unable to get this working.

    Even the GettingStarted (WCF_WF_CardSpace_Samples\WCF\Basic\GettingStarted) example provided with WCF samples is not working if i enable Windows Authentication.

    It would be of great help if anyone can provide me with a sample app or the minimum configuration required at the service and client application to get this working.

    Thanks!
    Monday, July 7, 2008 7:16 PM

Answers

  • WSHttpBinding will try and perform an internal negotiate at the SSP layer.  In order for this to be successful, you will need to allow anonymous in IIS for the VDir.  WCF will then by default perfrom an SPNEGO for window credentials.  Allowing anonymous at IIS layer is not allowing anyone in, it is deferring to the WCF stack.

    Tuesday, July 8, 2008 3:23 AM

All replies

  • Hi,

     First, please provide us with what kind of errors exception you get when you try to use your service.

     --larsw
    Monday, July 7, 2008 7:23 PM
    Moderator
  • I'm getting the below error when i try to open the service in web browser.

    Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

    And because of this i'm unable to add Service Reference in my client app. Below is the configuration of my service (which is default when i create a new WCF service website)

      <system.serviceModel>
        <services>
          <service name="Service" behaviorConfiguration="ServiceBehavior">
            <!-- Service Endpoints -->
            <endpoint address="" binding="wsHttpBinding" contract="IService">
              <!--
                  Upon deployment, the following identity element should be removed or replaced to reflect the
                  identity under which the deployed service runs.  If removed, WCF will infer an appropriate identity
                  automatically.
              -->
              <identity>
                <dns value="localhost"/>
              </identity>
            </endpoint>
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
          </service>
        </services>
        <behaviors>
          <serviceBehaviors>
            <behavior name="ServiceBehavior">
              <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
              <serviceMetadata httpGetEnabled="true"/>
              <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
              <serviceDebug includeExceptionDetailInFaults="false"/>
            </behavior>
          </serviceBehaviors>
        </behaviors>
      </system.serviceModel>

    Monday, July 7, 2008 8:33 PM
  • WSHttpBinding will try and perform an internal negotiate at the SSP layer.  In order for this to be successful, you will need to allow anonymous in IIS for the VDir.  WCF will then by default perfrom an SPNEGO for window credentials.  Allowing anonymous at IIS layer is not allowing anyone in, it is deferring to the WCF stack.

    Tuesday, July 8, 2008 3:23 AM
  • We have set        
    wsHttpBinding
    <binding name="authBinding">
              <security mode="Message">
                <transport clientCredentialType="Windows" />
                <message clientCredentialType="Windows" />
              </security>
            </binding>
    And set anonymous (required by wcf) and windows integrated auth (what we want) on virtual directory and set in web.config
        <authentication mode="Windows" />
        <authorization>
          <deny users="*"/>
        </authorization>
    but it is not working (we don't get the acces denied), but the server happily servers all the requests.
    Is there any way to have  wsHttpBinding without certificates and be able to set (and be used by iis) the authorization tag?
    Best regards, Cristian.
    Monday, December 15, 2008 2:32 PM
  • If you want to secure your Metadata too. Then you need to replace

    <endpoint address="mex" binding="mexHttpBinding" name="MexHttpsBindingEndpoint" contract="IMetadataExchange" />

    with

    <

     

     

    endpoint address="mex" binding="mexHttpsBinding" name="MexHttpsBindingEndpoint" contract="IMetadataExchange" />

    I mean binding should be mexHttpsBinding for making metadata secured. and also you need to enabled Anonymous Authentication for the WCF dir inside IIS.

    the config file should be

    <

     

     

    system.serviceModel>

    <

     

     

    behaviors>

    <

     

     

    serviceBehaviors>

    <

     

     

    behavior name="Service1Behavior">

    <

     

     

    serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />

    <

     

     

    serviceDebug includeExceptionDetailInFaults="false" />

    </

     

     

    behavior>

    </

     

     

    serviceBehaviors>

    </

     

     

    behaviors>

     

    <

     

     

    services>

    <

     

     

    service name="Service1" behaviorConfiguration="Service1Behavior">

    <

     

     

    endpoint address="" binding="wsHttpBinding" bindingConfiguration="AuthenticatedBinding" contract="IService1">

    </

     

     

    endpoint>

    <

     

     

    endpoint address="mex" binding="mexHttpsBinding" name="MexHttpsBindingEndpoint" contract="IMetadataExchange" />

    </

     

     

    service>

    </

     

     

    services>

    <

     

     

    bindings>

    <

     

     

    wsHttpBinding>

    <

     

     

    binding name="AuthenticatedBinding">

    <

     

     

    security mode="Transport">

    </

     

     

    security>

    </

     

     

    binding>

    </

     

     

    wsHttpBinding>

    </

     

     

    bindings>

    </

     

     

    system.serviceModel>

    Friday, March 11, 2011 10:16 PM
  • Hi,

    I am also facing similar problem.

    I am using WebHttpBinding binding and unable to add servicerefernce to my client app.Please help

    Sunday, May 22, 2011 7:35 AM
  • Hello @Brent,

    Could you please provide a reference to an "official" Microsoft documentation stating this?
    I need to justify a decision, backing it up with MS signed text.

    THANKS A LOT!!
    Marcelo

    Wednesday, April 16, 2014 9:47 PM