Make Wcf Service IntegratedWindowsAuthentication

23
votes

I m getting the following error when I did set the Windows Authentication enable and anonymous to disabled in IIS.

The authentication schemes configured on the host ('IntegratedWindowsAuthentication') do not allow those configured on the binding 'BasicHttpBinding' ('Anonymous'). Please ensure that the SecurityMode is set to Transport or TransportCredentialOnly. Additionally, this may be resolved by changing the authentication schemes for this application through the IIS management tool, through the ServiceHost.Authentication.AuthenticationSchemes property, in the application configuration file at the element, by updating the ClientCredentialType property on the binding, or by adjusting the AuthenticationScheme property on the HttpTransportBindingElement.

My Wcf Service's web.config is as follows...

<?xml version="1.0"?>
<configuration>
  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5"/>
  </system.web>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpEndpointBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <client>
      <endpoint binding="basicHttpBinding" 
        bindingConfiguration="BasicHttpEndpointBinding"
        contract="Test.IService1" name="BasicHttpEndpoint" />
    </client>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceAuthenticationManager 
             authenticationSchemes="IntegratedWindowsAuthentication"/>
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <protocolMapping>
        <add binding="basicHttpBinding" scheme="http" />
    </protocolMapping>    
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true"
         multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    <directoryBrowse enabled="true"/>
  </system.webServer>
</configuration>

Please advice..

8
c#.netwcfiis-7
You didn't post your web.config...Tim
Its ready now. please advice.user214471
I don't see a service definition in your config, just a client. If this is your service's config file and you're using .NET 4.0+, chances are you're getting a default endpoint, which may not have the security set properly. You need to assign the binding you create in your config file to your service as well.Tim
Thanks. Now its Error Free. But how to avoid the authentication .means how to avoid asking username and password when browsed the service via IIS. Please help.user214471
If the user is the same as machine login user, then please recommand a way to avoid this authentication when browsed a Wcf Service via IIS.user214471

8 Answers

49
votes

In .Net 4.0+, Simplified WCF configuration uses the 'anonymous' configurations when configurations are not explicitly set on a per-services basis in the <services> section. If you remove the name="BasicHttpEndpointBinding" from the <binding> element, or if you duplicate that <binding> element as a new element with no name attribute, it will become the default, anonymous binding that your WCF services will use. This is often useful in cases where you need to serve as well as consume WCF services that may not all have the same config - but at least you can set a default config for the services that do not have a specific config set. The default/anonymous concept is also applicable to <behavior> elements.

<bindings>
  <basicHttpBinding>
    <binding> <!--Notice, no name attribute set-->
      <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Windows" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>

Also, I might add that if your WCF services require authentication, this means that you will either need to consume the service using a real user account, or you will need to grant the the DOMAIN\CLIENTCOMPUTERNAME$ account access to the service - so, perhaps the proper solution for many people may be to alter the configuration to instead allow anonymous access (which is not discussed in my answer). Still, I do sometimes actually elect to secure my WCF services with Windows (Kerberos) authentication.

14
votes

Adding this worked for me.

        <bindings>
        <webHttpBinding>
            <binding>
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows" />
                </security>
            </binding>
        </webHttpBinding>
    </bindings>
2
votes

I got this error when updating from .NET 4.0 to .NET 4.5.2. I changed the clientCredentialType from 

<security mode="TransportCredentialOnly">
    <transport clientCredentialType="None"/>
</security>

to

<security mode="TransportCredentialOnly">
    <transport clientCredentialType="InheritedFromHost"/>
</security>

However, setting clientCredentialType="Windows" works equally well.

2
votes

I had the same issue when consuming already existing WCF web URL. I tried all the answers mentioned here , but all in all finally only two things helped.

  1. Changing the setting in "Turn windows Features on and off".

enter image description here

Enabling Anonymous authentication along with Windows Authentication in Local IIS server. enter image description here

0
votes
<services>
      <service name="Test.Service1" behaviorConfiguration="TestName">
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpEndpointBinding" contract="Test.IService1" />
      </service>
    </services>

It solved my problem.

0
votes

Like the other answers, I needed to update the binding in my Web.config to this:

<basicHttpBinding>
  <binding name="basicHttpBindin1">
    <security mode="TransportCredentialOnly">
      <transport clientCredentialType="Windows" />
    </security>
  </binding>
</basicHttpBinding>

But I also needed to update my binding's instantiation:

var binding = new BasicHttpBinding { MaxReceivedMessageSize = 1000000, ReaderQuotas = { MaxDepth = 200 } };

binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.UserName;
0
votes

I had add a webHttpBinding and point my endpoint to that, which the security settings needed to work. Without that my endpoint used the default WCF config bindings:

    <services>
  <service behaviorConfiguration="ServiceBehavior" name="Service">
    <endpoint address="" binding="webHttpBinding" contract="IService" />
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehavior">
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<bindings>
  <webHttpBinding>
      <binding>
        <!--Notice, no name attribute set-->
        <security mode="TransportCredentialOnly">
          <transport clientCredentialType="Windows" />
        </security>
      </binding>
  </webHttpBinding>

</bindings>
0
votes

I'm not entirely sure why, but when I added the 'Factory' attribute to my .SVC file (you need to explicitly drag it to Visual Studio), everything just works - without any changes to default settings in Web.config!

I added Factory="System.ServiceModel.Activation.WebServiceHostFactory" so my .SVC file went from this:

<%@ ServiceHost Language="C#" Debug="true" Service="ServiceNameSpace.ServiceName" CodeBehind="ServiceName.svc.cs" %>

to this:

<%@ ServiceHost Language="C#" Debug="true" Service="ServiceNameSpace.ServiceName" CodeBehind="ServiceName.svc.cs" Factory="System.ServiceModel.Activation.WebServiceHostFactory" %>

The only side effect seems to be that when you click on the .SVC file in the browser, you get an 'Endpoint not found' error, but the service works fine when you invoke it correctly anyway. As mentioned previously, I'm using a default Web.config with .NET 4.6 (Simplified WCF configuration), so I may yet need to add endpoint details for that to work again.