Hosting WCF Apps IIS Authentication

2
votes

I have written a WCF Service and need to host it, I can either host in IIS or Self-Host and I would like to use Windows Authentication by setting the bindings in the web.config file below:

<bindings>
  <netHttpBinding>
    <binding>
      <security mode="Transport">
        <transport clientCredentialType="Windows" />
      </security>
    </binding>
  </netHttpBinding>
</bindings>

I am trying to understand what IIS is doing in terms of authentication and passing it on to the web application, specifically:

  • If I host in IIS, do I need to enable Windows Authentication for the service site in IIS administration settings?

  • If so, why can the service not perform Windows Authentication simply from the config file just like self host - why does IIS need to get involved? Self host doesn't need anything other than the web.config file.

  • Is there a way in IIS for the application (ASP MVC, WCF etc) to handle authentication types (Forms, Windows Authentication, Basic) without enabling them (reason being if the site is not configured correctly it could be a security risk, if the code handles authentication then the security intent becomes explicit)?

2
asp.netwcfauthenticationiis

2 Answers

3
votes

If I host in IIS, do I need to enable Windows Authentication for the service site in IIS administration settings?

Yes.

If so, why can the service not perform Windows Authentication simply from the config file just like self host - why does IIS need to get involved? Self host doesn't need anything other than the web.config file.

Because Windows Authentication is a feature. When it is installed, you can enable or disable this feature for particular site or service. Note, that Windows Authentication is not supported Home or Starter editions of Windows Vista® and Windows® 7.

IIS WCF host implementation is completely different from SelfHost implementation. And Windows Authentication feature is required to get things like setting security context identity (ServiceSecurityContext.Current.WindowsIdentity) or impersonating the caller (http://msdn.microsoft.com/en-us/library/ms788971(v=vs.110).aspx) to work on IIS WCF host.

Is there a way in IIS for the application (ASP MVC, WCF etc) to handle authentication types (Forms, Windows Authentication, Basic) without enabling them (reason being if the site is not configured correctly it could be a security risk, if the code handles authentication then the security intent becomes explicit)?

You must install feature before using it. There is no security risk because it just wouldn't work. For instance, if you configure your site or a service to use windows authentication, anonymous users won't get access to this site or service.

1
votes

Check out this.
This gives all the details, follow this and i am sure you will get what you want.