IIS hosted WCF-service + Windows auth in IIS + TransportCredentialOnly/Windows auth in basicHttpBinding

Question

I want to create a WCF-service hosted in IIS6 and disable anonymous authentication in IIS. And don't use SSL.

So only way I have is to use basicHttpBinging with TransportCredentialOnly, itsn't it?

I create a virtual directory, set Windows Integrated Auth and uncheck "Enable Anonymous Access".

Here's my web.config:

<system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="MyBinding">
                    <security mode="TransportCredentialOnly">
                        <transport clientCredentialType="Windows" />
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <services>
            <service name="Samples.ServiceFacadeService" behaviorConfiguration="ServiceFacadeServiceBehavior">
                <endpoint address="" binding="basicHttpBinding" bindingName="MyBinding"
                          contract="Samples.IServiceFacadeService">
                </endpoint>
            </service>
        </services>
    <behaviors>
        <serviceBehaviors>
            <behavior name="ServiceFacadeServiceBehavior">
                <serviceDebug includeExceptionDetailInFaults="true"/>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

You can see that I even haven't included MEX-enpoint for metadata exchange. Just one endpoint and one binding for it with TransportCredentialOnly security.

But when I tries to start service (invoking a method throught client proxy) I got such exception in the EventLog:

Exception: System.ServiceModel.ServiceActivationException: The service '/wcftest/ServiceFacadeService.svc' cannot be activated due to an exception during compilation. The exception message is: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.. ---> System.NotSupportedException: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

I have no idea why my service require Anonymous auth? Why?

Answer 1

To get VS wcf service project (new sample project) to work with authentication under IIS, you have to:

1) Allow Anonymous access in IIS
2) Prefix your public methods with a attribute like this:

[PrincipalPermission(SecurityAction.Demand, Role = "MyADGroup")]
public string SendMyMessage(string Message)
{...}

Answer 2

Use basicHttpBinding for your mex endpoint and apply the same bindingConfiguration:

Answer 3

The answer found jezell. Thanks. I mixed up bindingName and bindingConfiguration :

<endpoint address="" binding="basicHttpBinding" bindingName="MyBinding"
          contract="Samples.IServiceFacadeService">
</endpoint>

That's right:

<endpoint address="" binding="basicHttpBinding" **bindingConfiguration**="MyBinding"
          contract="Samples.IServiceFacadeService">
</endpoint>

Answer 4

The MEX endpoint may still be the problem (see this post). Try disabling MEX like this:

<services>
    <!-- Note: the service name must match the configuration name for the service implementation. -->
    <service name="MyNamespace.MyServiceType" behaviorConfiguration="MyServiceTypeBehaviors" >
        <!-- Add the following endpoint.  -->
        <!-- Note: your service must have an http base address to add this endpoint. -->
        <endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
    </service>
</services>

<behaviors>
    <serviceBehaviors>
        <behavior name="MyServiceTypeBehaviors" >
            <!-- This disables it. -->
            <serviceMetadata httpGetEnabled="false" />
        </behavior>
    </serviceBehaviors>
</behaviors>

Here is a good post on securing MEX.