wsHttpBinding on WCF service on IIS7 with windows auth only

Question

Have a hosted WCF service, .net 3.5sp1 on IIS7, with a domain account running the application pool. I want windows authentication, wsHttpBinding, and anonymous turned off. Removed the mex endpoint, set message security, but still getting:

Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

I have tried about 50 different web.config configurations, but no joy.

Current web.config:

<system.serviceModel>
    <behaviors>
        <serviceBehaviors>
            <behavior name="PressReleaseService.PRBehavior">
                <serviceMetadata httpGetEnabled="true" />
                <serviceDebug includeExceptionDetailInFaults="true" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <services>
        <service behaviorConfiguration="PressReleaseService.PRBehavior" name="PressReleaseService.PR">
            <endpoint address="" binding="wsHttpBinding" contract="PressReleaseService.IPR">
                <identity>
                    <dns value="localhost"/>
                </identity>
            </endpoint>
        </service>
    </services>
    <bindings>
        <wsHttpBinding>
            <binding name="WSHttpBinding_IPR" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
            transactionFlow="false" hostNameComparisonMode="StrongWildcard"
            maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
            textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <reliableSession ordered="true" inactivityTimeout="00:10:00"
                enabled="false" />
                <security mode="Message">
                    <message clientCredentialType="Windows" negotiateServiceCredential="false"
                    algorithmSuite="Default" establishSecurityContext="true" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
</system.serviceModel>

Additionally, there is another service running under the same application pool, it has mex in it, has wsHTTPBinding for the primary endpoint, and it ONLY has windows authentication enabled in IIS.

Any clues?

Answer 1

The solution in IIS7:

The following line in the web.config file:

<serviceMetadata httpGetEnabled="true" />

requires that anonymous access be given to the .svc file for http access. To grant this, open IIS Manager and disable Anonymous authentication and enable Windows authentication at the top of your application. Then, go into the 'Content View' tab and right click on your .svc file. Select 'Switch to Features View'. This will cause the .svc file to be added to the directory tree on the left. From there, you can go to 'Authentication' under IIS and set Anonymous Authentication to enabled. Now you have Anonymous access to the mex endpoint (I added it back in), but have windows authentication everywhere else. The result of this is a change in the c:\Windows\System32\inetsrv\config\applicationHost.config file that looks like this:

<location path="Default Web Site/PRService_Dev">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <windowsAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>
</location>
<location path="Default Web Site/PRService_Dev/PR.svc">
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>
</location>

Answer 2

You have to use Transport Security to delegate authentication to IIS and use the settings you configured in your IIS. Windows Authentication in this case.

<security mode="Transport"> <transport clientCredentialType ="Windows"/> </security>

Message authentication with clientCredentialType means that you want to message security with kerberos so only anonymous should be enabled on IIS.