WCF Security error with VS 2008 Unit Test

Question

I was running my first Visual Studio 2008 Unit Test with a WCF Service and I received the following error:

Test method UnitTest.ServiceUnitTest.TestMyService threw exception: System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized..

I am also getting the following failed audit in the security log:

Logon Failure: Reason: The user has not been granted the requested logon type at this machine
User Name: (Internet Guest Account)
Domain:
Logon Type: 3
Logon Process: IIS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:

I am hosting the WCF service in IIS 6.0 on a Windows XP SP3 machine. I have both the "Anonymous Access" and "Integrated Windows authentication" checked for the WCF service virtual directory.

Here is my config file for the service:

<system.serviceModel>
    <services>
        <bindings>
            <basicHttpBinding>
                <binding name="MyBinding">
               <security mode="None" />
           </binding>
            </basicHttpBinding>
            <customBinding>
                <binding name="MyBinding">
               <transactionFlow />
                    <textMessageEncoding />
                    <httpsTransport authenticationScheme="Ntlm"/>
                </binding>
            </customBinding>
            <wsHttpBinding>
                <binding name="MyBinding">
                   <security mode="None" />
               </binding>
            </wsHttpBinding>
        </bindings>
        <service 
            behaviorConfiguration="Service1Behavior"
            name="Service1"
        >
            <endpoint 
                address="" 
                binding="wsHttpBinding"
                bindingConfiguration="MyBinding"
                contract="IService1"
            >
                <identity>
                    <dns value="localhost" />
                   </identity>
            </endpoint>
        </service>
    </services>
    <behaviors>
        <serviceBehaviors>
            <behavior name="Service1Behavior">
                <serviceMetadata httpGetEnabled="true" />
                   <serviceDebug includeExceptionDetailInFaults="false" />
               </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

Answer 1

I had to change the following IIS and WCF service configurations to get past the "Negotiate,NTLM" exception.

IIS Configurations:

-- Unchecked "Anonymous Access" checkbox and check the "Integrated Windows authentication" checkbox in the directory security setting for the WCF Service virtual directory.

WCF Services:

-- implemented basicHttpBinding and configured the basicSettingBinding security setting to "TransportCredentialsOnly" mode and TransportClientCredentialType to "Windows"

Here is my updated wcf service configuration:

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="windowsBasicHttpBinding">
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows" />
                </security>
            </binding>
       </basicHttpBinding>
    </bindings>
    <services>
        <service    
      behaviorConfiguration="CityOfMesa.ApprovalRouting.WCFService.RoutingServiceBehavior"
           name="CityOfMesa.ApprovalRouting.WCFService.RoutingService"
        >
            <endpoint 
                binding="basicHttpBinding" bindingConfiguration="windowsBasicHttpBinding"
                name="basicEndPoint"    
                contract="CityOfMesa.ApprovalRouting.WCFService.IRoutingService" 
            />
        </service>
    </services>
    <behaviors>
        <serviceBehaviors>
            <behavior 
                name="CityOfMesa.ApprovalRouting.WCFService.RoutingServiceBehavior"
            >
                <serviceMetadata httpGetEnabled="true" />
                <serviceDebug includeExceptionDetailInFaults="true" />
           </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

Answer 2

As a side note.....There was a GPO setting "NTLM Authentication Level" that was controls authenication that was causing the unit test to generate the "Negotiate,NTLM" exception.

Answer 3

When you have securityMode="None" in your binding, you should turn off integrated authentication.

Answer 4

The default authentication is windows (or NTLM) so you'll need to specify that you don't want authentication in your config file.

<system.serviceModel>
  <bindings>
    <wsHttpBinding>
      <binding name="myBinding">
        <security mode="None" />
      </binding>
  </bindings>
</system.serviceModel>

also add this attribute to the endpoint

bindingConfiguration="myBinding"

The binding element specifies modifications of the standard behavior of the wsHttpBinding.

Then the "bindingConfiguration="myBinding" attribute on the endpoint says that that endpoint should use the modifications we specified.