Configuring WCF Security (wsHttpBinding)

Question

I have two websites hosted on the same IIS server. SiteA contains WCF services that need to be accessed by SiteB, as well as anything else that is authenticated on the domain.

The service is configured with a wsHttpBinding and thus I believe uses Windows security by default. Right now I can call the services from a console app running on my local machine, as well as from a web application running in the default Visual Studio web server, so I am taking that the authentication is working.

However, when SiteB tries to access the services, it fails with this error: The caller was not authenticated by the service.

SiteB runs on the same machine than SiteA so I don't understand why it could not be authenticated. SiteB uses Forms Authentication and I mapped Anonymous access to a domain user.

Here are the config bits:

SiteA (service):

<system.serviceModel>
        <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
        <services>
            <service behaviorConfiguration="wcfServiceBehaviour" name="MyService">
                <endpoint address="" binding="wsHttpBinding" contract="IServiceContract" />
                <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
            </service>
        </services>
        <behaviors>
            <serviceBehaviors>
                <behavior name="wcfServiceBehaviour">
                    <serviceMetadata httpGetEnabled="true" />
                    <serviceDebug includeExceptionDetailInFaults="true" />
                </behavior>
            </serviceBehaviors>
        </behaviors>
    </system.serviceModel>

SiteB (client):

<system.serviceModel>
    <client>
      <endpoint address="http://xxxxx/Services/xxService.svc"
                binding="wsHttpBinding"
                contract="IServiceContract" />
    </client>
</system.serviceModel>

Answer 1

If you're using a self hosted site like me, the way to avoid this problem (as described above) is to stipulate on both the host and client side that the wsHttpBinding security mode = NONE.

When creating the binding, both on the client and the host, you can use this code:

 Dim binding as System.ServiceModel.WSHttpBinding 
 binding= New System.ServiceModel.WSHttpBinding(System.ServiceModel.SecurityMode.None)

or

 System.ServiceModel.WSHttpBinding binding
 binding = new System.ServiceModel.WSHttpBinding(System.ServiceModel.SecurityMode.None);

Answer 2

When SiteB impersonates another user, does your code specify the impersonation level?

My guess is that your are not specifying a high enough level of impersonation. (Delegation is the highest, allowing SiteB to pass the permissions to a different service).

I suspect that fixing up the SiteB impersonation code will be enough to solve the problem.

If not, try passing the allowable impersonation level to the server:

<system.serviceModel>
    <client>
      <endpoint address="http://xxxxx/Services/xxService.svc"
                binding="wsHttpBinding"
                contract="IServiceContract"
                behaviorConfiguration = "ImpersonationBehavior" />
    </client>
      <behaviors>
          <endpointBehaviors>
               <behavior name="ImpersonationBehavior">
                   <clientCredentials>
                       <windows allowedImpersonationLevel = "Delegation" /> <!-- The highest level -->
                   </clientCredentials>
               </behavior>
          <endpointBehaviors>
       </behaviors>
</system.serviceModel>

Answer 3

You are correct - wsHttpBinding configured in WCF will use Windows Authentication by default.

There is a suggestion here - WCF - changing endpoint address results in securityexception - that the Identity block will not work with Windows Authentication - try removing it.