Silverlight, SSL, HTTPS, WCF, MVC, and Forms Authentication

1
votes

I have an MVC 3 website that is using Forms authentication. The user logins and navigates to a Silverlight 5 application. The Silverlight app is calling a Silverlight-Enabled WCF service on another port. Because one of my requirements is to use Https/SSL, I decided to move the WCF services into a "Services" folder in my MVC application.

To see if the service is working, I typed in the address of my service. I got an error message stating my service requires anonymous access, but the website is specified to use forms authentication. So, I removed my mexHttpBinding in my web.config for my service and added authenticationScheme="Negotiate" to my httpTransport of my binding. (I'm not to https yet).

Now, I get a 302 and am redirected to the log-in page. It seems that my service is suggesting i'm not logged in. So, I added

routes.IgnoreRoute("{resource}.svc/{*pathInfo}");

and

routes.IgnoreRoute("Services/");

but that hasn't made a difference. I think the service says i'm not authenticated, but I'm certain I am.

Can someone explain what I'm doing wrong?

All of this works when I debug on my localhost, but I can't access the service when I deploy to a server.

Edit

I may have found my answer. I turned on anonymous access for my website in IIS and changed the httpTransport's authenticationScheme to the default (Anonymous). I then added 

<authorization>
    <deny users="?"/>
</authorization>

along with

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

which seems to be requiring the user to be authenticated in order to access the service. I am now going to check my silverlight application to make sure it can reach the service and get/post data. This was all in a test application, so I'll have to change my real application accordingly. Then, I'll tackle ssl/https.

Does all this sound right?

EDIT 2

I had to ensure mex was enabled and aspNetCompatibilityEnabled was set to 'false' to get the conctracts to update in my silverlight app. But after updating my services, I set the aspNetCompatibilityEnabled to 'true', and everything appears to be working.

I hope I'm still headed down the right path...

1
asp.net-mvcwcfsilverlightsslforms-authentication
Your Services folder will be inheriting all the settings from your MVC app. in IIS Manager, if you open your app, and navigate to your Services directory and open Authentication, does it say "Anonymous Authentication Enabled"? And why not just have it as it's own Application?pms1969
@pms1969, I'm really a novice at this, so I'm a bit confused as to how I would accomplish having it as its own application and getting it to respond under port 443 for ssl. In addition, I have created an "hello, world" website to simply my problem. It does have anonymous access enabled, but my web.config specifies forms authentication. Also, I have Integrated Windows Authentication turned off.Josh C.
You should think again about security of your WCF services. It looks they will be available to call for everyone without any authentication and permissions checking.paramosh
@paramosh when I type in the service address and am not logged in, I get redirected to a log on screen. When I am logged in, I get the expected web page. I am not sure how else to tell.Josh C.

1 Answers

1
votes

I ended up setting up IIS to add the webservice as a website under the parent website. Then, I used the Location tag in the parent site's web.config to implement forms authentication on the webservice.