Reputation: 2431
Hosting WCF Apps IIS Authentication
I have written a WCF Service and need to host it, I can either host in IIS or Self-Host and I would like to use Windows Authentication by setting the bindings in the web.config file below:
<bindings>
<netHttpBinding>
<binding>
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netHttpBinding>
</bindings>
I am trying to understand what IIS is doing in terms of authentication and passing it on to the web application, specifically:
If I host in IIS, do I need to enable Windows Authentication for the service site in IIS administration settings?
If so, why can the service not perform
Windows Authenticationsimply from the config file just like self host - why does IIS need to get involved? Self host doesn't need anything other than the web.config file.Is there a way in IIS for the application (ASP MVC, WCF etc) to handle authentication types (Forms, Windows Authentication, Basic) without enabling them (reason being if the site is not configured correctly it could be a security risk, if the code handles authentication then the security intent becomes explicit)?
Upvotes: 2
Views: 221
Answers (2)
Reputation: 3624
Check out this.
This gives all the details, follow this and i am sure you will get what you want.
Upvotes: 1
Reputation: 4571
If I host in IIS, do I need to enable Windows Authentication for the service site in IIS administration settings?
Yes.
If so, why can the service not perform Windows Authentication simply from the config file just like self host - why does IIS need to get involved? Self host doesn't need anything other than the web.config file.
Because Windows Authentication is a feature. When it is installed, you can enable or disable this feature for particular site or service. Note, that Windows Authentication is not supported Home or Starter editions of Windows Vista® and Windows® 7.
IIS WCF host implementation is completely different from SelfHost implementation. And Windows Authentication feature is required to get things like setting security context identity (ServiceSecurityContext.Current.WindowsIdentity) or impersonating the caller (http://msdn.microsoft.com/en-us/library/ms788971(v=vs.110).aspx) to work on IIS WCF host.
Is there a way in IIS for the application (ASP MVC, WCF etc) to handle authentication types (Forms, Windows Authentication, Basic) without enabling them (reason being if the site is not configured correctly it could be a security risk, if the code handles authentication then the security intent becomes explicit)?
You must install feature before using it. There is no security risk because it just wouldn't work. For instance, if you configure your site or a service to use windows authentication, anonymous users won't get access to this site or service.
Upvotes: 3
Related Questions
- hosting WCF service in IIS with windows authentication and without anonymous access
- ASP.NET with WCF Windows Authentication
- WCF Service Authentication from MVC App sharing same Membership Provider
- ASP.NET Client Application Services Authentication and WCF
- WCF windows authentication with IIS and Application Pool
- Using WCF authentication service for web application
- MVC2 Apps (and others) sharing WCF services and authentication
- Authenticating ASP.NET web app with WCF service
- WCF Forms Based Authentication Via Web App - Passing Credentials
- ASP.NET Web Site + Windows Forms App + WCF Service: Client Credentials