Zulfiqar's weblog

Architecture, security & random .Net

Windows authentication for IIS hosted WCF Service

Posted by zamd on February 15, 2008


Security settings for this service require ‘Anonymous’ Authentication but it is not enabled for the IIS application that hosts this service.

I have seen people struggling while configuring integrated windows authentication for their IIS hosted WCF service and are getting above exception. There are two settings required to make this work.

·         First enable Integrated Windows Authentication on IIS

·         Set the clientCredentialType to Windows

Here is a sample binding to enable windows authentication in IIS.

<bindings>

  <basicHttpBinding>

    <binding name=basicHttpBinding IMyService>

      <security mode=TransportCredentialOnly>

        <transport clientCredentialType=Windows/>

      </security>

    </binding>

  </basicHttpBinding>

</bindings>

However even after making these two changes you might still be getting the exception and the prime reason is that one of the service endpoints (most likely the MEX endpoint) still requires anonymous access while it is disabled in IIS.

Why mostly MEX endpoint?

Because the default settings of mexHttpBinding allows anonymous access by setting clientCredentialsType to None. So if you have a mex endpoint and you are using out of the box mexHttpBinding you will be getting the above exception.

A simple fix is to use the same secured binding, in this case basicHttpBinding IMyService, for the mex endpoint as well or create a new binding and disable the anonymous access for mex endpoint as well.

Advertisements

6 Responses to “Windows authentication for IIS hosted WCF Service”

  1. Unknown said

    Hi, I’m using wsDualHttpBinding and really struggling to implement windows security.
    I have created a WCF service, hosted in IIS5.1 and accessing it from a windows client application. The app.config says that Transport tag is invalid in this context. If i enable the anonymous access in IIS its all working fine, but if disable it and enables the integ. windows authentication means i’m getting one or other error message. I’m really struggling how to pass windows credentials to server from client side. Any help?

  2. Unknown said

    I still had to enable anonymous access in IIS. It didn’t work for me either.

  3. Unknown said

    The mex portion of this is problematic. You cathe n’t do as you say and reuse the bindingconfiguration because the mex is not basicHttpBinding. IIS says that there is not binding configuration for your mexHttpBinding. And you cannot duplicate the bindingconfiguration for mexhttpbinding as doesn’t support the same syntax. Any follow up to this?

  4. zamd said

    mexHttpBinding is similar to basicHttpBinding – just use your customized (with annonymous access disabled) basicHttpBinding for mex endpoint as well.

  5. Unknown said

    Thank you very much, god this solved my problem.
    I was struggling a lot to identify the mex endpoint which was restricting the windows authentication in IIS.

    Thanks you very much once again 🙂

  6. Unknown said

    Great content. especially the last part about using the same binding for mex. It solved my problem that was persistent for 15 hrs.

    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: