Activation error in WCF web-service using basicHttpBinding, Windpws-Authentication & impersonation

0
votes

I am trying to host a WCF web service in IIS using Windows Authentication. Due to restrictions, we have to use the basicHttpBinding & use impersonation (impersonate the caller's identity for accessing resources down the chain).

I have declaratively enabled impersonation on the operation contract of my WCF service:

 [OperationBehavior(Impersonation = ImpersonationOption.Required)]

My web.config is:

    <system.serviceModel>
      <behaviors>
        <serviceBehaviors>
          <behavior>
            <serviceMetadata httpGetEnabled="true"/>
            <serviceDebug includeExceptionDetailInFaults="true"/>
          </behavior>
        </serviceBehaviors>
      </behaviors>
      <bindings>
        <basicHttpBinding>        
          <binding name="basic">          
            <security mode="TransportCredentialOnly">
              <transport clientCredentialType="Windows">              
              </transport>            
            </security>          
          </binding>
        </basicHttpBinding>
      </bindings>
      <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
      <services>
        <service name="NotesService">
          <endpoint address="http://Client1.osp.local:15000/NotesService/NotesService.svc" bindingConfiguration="basic" binding="basicHttpBinding"  contract="NotesService.ServiceContract.INotesService">
            <identity>
              <servicePrincipalName value="HTTP/Client1.osp.local:15000"/>            
            </identity>          
          </endpoint>        
        </service>
      </services>
    </system.serviceModel>

However, I am getting an activation error. What am I missing?

The error I am getting is:

The contract operation 'Process' requires Windows identity for automatic 
impersonation. A Windows identity that represents the caller is not provided by 
binding ('BasicHttpBinding','http://tempuri.org/') for contract 
('NotesService','http://tempuri.org/'.
1
wcfwcf-securitywindows-authenticationimpersonationbasichttpbinding
Just a note - for a service the identity tag is irrelevant - its used on the client to allow the client to verify its talking to the service it expects (i.e. the service has the correct identity the client is expecting)Richard Blewett

1 Answers

2
votes

Assuming you are using WCF 4.0, then I think you are seeing an artefact of a WCF 4 feature called default endpoints.

In the service name you need to provide the fully qualified name of the service (including the namespace). Assuming NotesService is in a namespace then when you create the ServiceHost it doesn;t find a match in the config file. If you supply an HTTP base address in the ServiceHost constructor then it will wire up the basicHttpBinding with its default configuration (no authentication) which would produce the error you are seeing