none
Why is Anonymous Access Required to Host WCF in IIS?

    Question

  • I've read through various posts trying to understand why the virtual directory that hosts the .svc file must be set to anonymous and I have not found any concrete answers.

    One post suggested that WCF does all of the authentication itself, which makes perfect sense, but I want to make sure I understand the implications of IIS hosting with anonymous enabled. What this would mean to me is that when using Windows authentication on client and server, IIS authentication is taken out of the picture completely?

    If so, then how does the WindowsPrincipal get passed/set from the client to the service?

    I understand that enabling ASPNET compat is an option, but this isn't something I want to do.

    TIA,

    Rick

    Wednesday, February 7, 2007 6:54 PM

Answers

  • Hi Rick, it is not true that you have to enable anonymous in order to host WCF in IIS. There are some restrictions when you configure bindings though. The basic principle is that: the settings for the WCF binding should be compatible with IIS settings. This means that if you want to enable transport layer authentication in the binding, you have to do so to the virtual application in IIS. For example, when you use BasicHttpBinding, you can enable the transport layer auth by setting the security Mode to "TransportCredentialOnly". You can disable IIS anonymous auth in this case.

    However, there is one special case: if you are using WSHttpBinding over HTTP instead of HTTPS, you would have to enable anonymous in IIS. This is because none of the security modes for WSHttpBinding allows you to configure transport-layer authentication over HTTP, which has been implemented in BasicHttpBinding. Of course, you can solve this by using either BasicHttpBinding or CustomBinding. This is not a limitation. Instead it tries to reduce confusion since you would use either SSL (as transport layer security) or message security with WSHttpBinding.

     

    Wednesday, February 7, 2007 8:34 PM
    Moderator

All replies

  • This post by Wenlong Dong should explain the relation between WCF and IIS wrt authentication and also how to get the identity of the caller: http://blogs.msdn.com/wenlong/archive/2006/12/01/impersonation-with-double-identities.aspx

    The IIS "directory security" settings only related to transport level security (authentication). If you use message level security mode and authentication, WCF will at startup check that the IIS settings are not conflicting with the WCF config when activating the host. You can then get either "anonymous must be enabled" (non-transport credentials) or "must be turned off" (transport credentials).

    KjellSJ
    Wednesday, February 7, 2007 7:10 PM
  • Hi Rick, it is not true that you have to enable anonymous in order to host WCF in IIS. There are some restrictions when you configure bindings though. The basic principle is that: the settings for the WCF binding should be compatible with IIS settings. This means that if you want to enable transport layer authentication in the binding, you have to do so to the virtual application in IIS. For example, when you use BasicHttpBinding, you can enable the transport layer auth by setting the security Mode to "TransportCredentialOnly". You can disable IIS anonymous auth in this case.

    However, there is one special case: if you are using WSHttpBinding over HTTP instead of HTTPS, you would have to enable anonymous in IIS. This is because none of the security modes for WSHttpBinding allows you to configure transport-layer authentication over HTTP, which has been implemented in BasicHttpBinding. Of course, you can solve this by using either BasicHttpBinding or CustomBinding. This is not a limitation. Instead it tries to reduce confusion since you would use either SSL (as transport layer security) or message security with WSHttpBinding.

     

    Wednesday, February 7, 2007 8:34 PM
    Moderator
  • Thank you, I think there was an error in my binding that was causing the problem. I will test and confirm.
    Thursday, February 8, 2007 1:11 PM
  •  

    Hello,

     

    I have found this post on which I am interresting in becasue I ma in such sictuation where I have a WCF service whihc is host under IIS as (WAS) and use with netTcpBinding.

    I have noticed that I can reach my service only if Anomymous is Enabel on IIS, I can I remove this Anonimous fro my case ?

     

    My config file is as follow from server side :

     

    Code Block


       
       
           
             
               
               
             
           
         

       

     

     

    Then from client side

     

    Code Block
    <netTcpBinding>
            <binding name="NetTcpBinding_IAlarm" >
              <security mode="Transport">
                <transport clientCredentialType="Windows"/>
              </security>
            </binding>
          </netTcpBinding>

     

     

    Thanks for your help

     

    regards

    serge

    Friday, November 30, 2007 3:07 PM
  • This would mean that SSL is used, right?

     

    allan

    Tuesday, January 20, 2009 9:20 PM
  • I'm using WSHttpBinding over HTTP so I have to enable anonymous authentication in IIS. However, out of interest I tried  BasicHttpBinding with TransportCredentialOnly and credential type Windows, but still had the requirement of anonymous authentication in IIS, which shouldn't be the case according to the above post...?

    Friday, October 7, 2011 1:42 PM
  • My bad, forgot to disable metadata publishing.
    Friday, October 7, 2011 2:24 PM
  • Hi Wenlong

    Sorry for replying to this old thread. If i use basicHttpBinding and TransportWithMessageCredential / UserName (I have a custom membership provider) do I still need to enable anonymous access? It seems to be eimpossible not to enable anonymous access in this scenario?

    I have made a post about this: http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/7afa6a20-a73c-40d4-8ef7-99c3740ce1b5/#7afa6a20-a73c-40d4-8ef7-99c3740ce1b5

    Any help is appreciated.

    Thursday, September 13, 2012 4:01 AM