We have a service that uses BasicHttpBinding/Transport Security/Windows Authentication and is hosted in IIS. I have created a unit-test application in VSTS and whenever we test a WCF method, Fiddler records two calls.
1st call - No authorization token is sent. The WCF service returns a 401 error - Unauthorized: Access is denied. Http headers as sent in the request given below.
Hi Nishant, This is the standard way in which authentication takes place. Whenever you request a resource from the server (say using a browser) your client (in this case your browser) does not send the credentials the first time becuase it doesn't know if the resource it is trying to access on the server is secured or not. When your request reached the server (IIS) it determines that OK this resource is secure so lets ask for some credentials from the client. This is the www-Authenticate header sent by the server to your client (which also lists the auth modes in which the client can authenticate itself - basic, digest, negotiate ...). This prompts the client to send the credentials in the authorization header. Hence the two calls. This is not specific to WCF but any client-server communication. You can more details on this - http://www.owasp.org/index.php/Authentication_In_IIS Thanks.- Piyush
Marked as answer bynishanttheoneMonday, February 22, 2010 6:32 PM