I have been reading the WCF configuration documentation and would like a confirmation on a limitation that I've encountered.
I have a client that expects the following binding configuration:
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Basic"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
On the server side I have implemented a custom user name and password validator because we don't use Windows or domain accounts for clients. I followed this guide: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-use-a-custom-user-name-and-password-validator, but they and other examples I've seen use wsHttpBinding or add message security.
The server endpoints and behaviors look something like this:
<services>
<service name="MyWcfService.Service" behaviorConfiguration="MyBehavior">
<endpoint
address=""
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="MyWcfService.IService"/>
<endpoint
address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MyBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceCredentials>
<userNameAuthentication
userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="MyValidator, MyWcfService"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
When hosting the service in IIS with basic authentication enabled the custom validator is not hit, IIS tries to validate the provided credentials against Windows accounts and fails with this message if the user account doesn't exist:
The HTTP request is unauthorized with client authentication scheme 'Basic'.
So is it impossible to have a custom credential validator for a service hosted in IIS with basicHttpBinding, Transport security mode, and Basic transport client credential type? Is there no way to override the basic Windows authentication that IIS does?
