Passing windows identity to WCF from ASP.NET

2
votes

I have a WCF service hosted in IIS with integrated windows authentication enabled and anonymous authentication disabled. When I try and call this service from ASP.NET, I'm getting the following MessageSecurityException:

"The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.]"

Any ideas?

This is my service configuration:

<system.serviceModel>
<bindings>
  <basicHttpBinding>
    <binding name="CalculatorServiceBasicHttpBinding">
      <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Windows" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>
<services>
  <service name="Service.CalculatorService" 
           behaviorConfiguration="CalculatorServiceBehavior">
    <endpoint name="BasicHttpEndpoint"
              address="" 
              binding="basicHttpBinding" 
              bindingConfiguration="CalculatorServiceBasicHttpBinding"
              contract="Framework.ICalculatorService">
    </endpoint>
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="CalculatorServiceBehavior">
      <serviceMetadata httpGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="true"/>
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>

This is how I'm calling the service:

var basicHttpBinding = new BasicHttpBinding();
basicHttpBinding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
basicHttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
var factory = new ChannelFactory<Framework.ICalculatorService>(basicHttpBinding, new EndpointAddress("http://localhost/CalculatorService/CalculatorService.svc")); 
factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
var proxy = factory.CreateChannel();
var emailAddress = proxy.GetMyEmailAddress();
((ICommunicationObject)proxy).Close();
factory.Close();
1
asp.netwcfwcf-securitybasichttpbindingwcf-authentication

1 Answers

1
votes

Your WCF configuration works for me so most likely you don't have IIS configured correctly for your WCF service (and possibly your ASP.NET client). Make sure the IIS site hosting your service is configured as described in this TechNet article for IIS 7. Out of the box, IIS 7 is not enabled for Windows authentication. If you're using IIS 6, there then you'll need to search to see how it's configured for Windows authentication.

Once IIS is set up correctly for your service, you need to configure the ASP.NET site that is calling your service. By default, the ASP.NET AppPool for your web site will use a local machine account (ApplicationPoolIdentity or possibly NetworkService). You'll need to change that account to an appropriate domain account. You also need to ensure your service allows that domain account to access it by either adding an Authorization Rule in IIS Manager or updating the service web.config file as described in the TechNet article.