WCF and Integrated Windows Authentication

Discussion in 'ASP .Net Web Services' started by Larry, Apr 22, 2009.

  1. Larry

    Larry Guest

    I have an application with a web front-end and several web services. Some
    of the web services will call other web services. I've previously been
    using wsHttpBinding and certificates to connect to my IIS hosted wcf web
    services, which has been working great. I've received a new requirement
    that I need to support Integrated Windows Authentication and not allow
    Anonymous access on the web site or the web services. For the web site, I
    can uncheck the "Enable anonymous access" and update the web.config and I
    can authenticate there fine. But when the web app calls a web service, I
    get the error: "The HTTP request is unauthorized with client authentication
    scheme 'Anonymous'. The authentication header received from the server was
    'Negotiate,NTLM'." What am I missing?

    Configuration:
    The web site and web services run under an application pool with a domain
    user identity.

    Client Configuration:

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
    <system.serviceModel>
    <bindings>
    <wsHttpBinding>
    <binding name="WSHttpBinding_IService"
    closeTimeout="00:01:00"
    openTimeout="00:01:00" receiveTimeout="00:10:00"
    sendTimeout="00:01:00"
    bypassProxyOnLocal="false" transactionFlow="false"
    hostNameComparisonMode="StrongWildcard"
    maxBufferPoolSize="524288"
    maxReceivedMessageSize="65536"
    messageEncoding="Text" textEncoding="utf-8"
    useDefaultWebProxy="true"
    allowCookies="false">
    <readerQuotas maxDepth="32"
    maxStringContentLength="8192" maxArrayLength="16384"
    maxBytesPerRead="4096" maxNameTableCharCount="16384"
    />
    <reliableSession ordered="true"
    inactivityTimeout="00:10:00"
    enabled="false" />
    <security mode="Message">
    <transport clientCredentialType="Windows"
    proxyCredentialType="None"
    realm="" />
    <message clientCredentialType="Windows"
    negotiateServiceCredential="true"
    algorithmSuite="Default"
    establishSecurityContext="true" />
    </security>
    </binding>
    </wsHttpBinding>
    </bindings>
    <client>
    <endpoint address="http://localhost/WCFTestService/Service.svc"
    binding="wsHttpBinding"
    bindingConfiguration="WSHttpBinding_IService"
    contract="WCFTestService.IService"
    name="WSHttpBinding_IService">
    </endpoint>
    </client>
    </system.serviceModel>
    </configuration>

    Service config pieces:

    <system.serviceModel>
    <services>
    <service name="Service" behaviorConfiguration="ServiceBehavior">
    <!-- Service Endpoints -->
    <endpoint address="" binding="wsHttpBinding" contract="IService">
    <!--
    Upon deployment, the following identity element should be
    removed or replaced to reflect the
    identity under which the deployed service runs. If removed,
    WCF will infer an appropriate identity
    automatically.
    -->
    </endpoint>
    <endpoint address="mex" binding="mexHttpBinding"
    contract="IMetadataExchange"/>
    </service>
    </services>
    <behaviors>
    <serviceBehaviors>
    <behavior name="ServiceBehavior">
    <!-- To avoid disclosing metadata information, set the value below
    to false and remove the metadata endpoint above before deployment -->
    <serviceMetadata httpGetEnabled="true"/>
    <!-- To receive exception details in faults for debugging
    purposes, set the value below to true. Set to false before deployment to
    avoid disclosing exception information -->
    <serviceDebug includeExceptionDetailInFaults="false"/>
    </behavior>
    </serviceBehaviors>
    </behaviors>
    </system.serviceModel>
    Larry, Apr 22, 2009
    #1
    1. Advertising

  2. Larry

    Steven Cheng Guest

    Hi Larry,

    From your description, you have some WCF service which are called by
    ASP.NET web application(which use windows integrated authentication).
    However, the ASP.NET web page(call those WCF service) report authentication
    error, correct?

    According to the WCF service and client proxy(in asp.net) configuration,
    I've got that your WCF service is configured with WSHttpBinding and use the
    default message layer security(with windows client credential type). In
    such mode, the client-side proxy will automatically use the current
    security account(of the current process/executing thread) as the client
    security token) for the WCF service authentication if you haven't
    explicitly specify a different account.

    So I'd like to confirm the execution environment of your ASP.NET web
    application since that will affect the authentication b ehavior between the
    WCF service and the client running in the ASP.NET app.

    ** Is the ASP.NET web application running on the same server with WCF
    service or they're hosted remotely

    ** What is the IIS version of the server that host ASP.NET web app? And
    what is the current security account the ASP.NET web app(an the pages in
    it) executing under? You can use the following code to output the executing
    account in ASP.NET page:

    Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);

    ** have you enabled "impersonate" in your ASP.NET web app?

    All these will affect the authentication behavior between your ASP.NET WCF
    client and the WCF service side.


    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 2 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions. Issues of this
    nature are best handled working with a dedicated Microsoft Support Engineer
    by contacting Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
    >From: "Larry" <>
    >Subject: WCF and Integrated Windows Authentication
    >Date: Wed, 22 Apr 2009 00:56:45 -0600
    >
    >I have an application with a web front-end and several web services. Some
    >of the web services will call other web services. I've previously been
    >using wsHttpBinding and certificates to connect to my IIS hosted wcf web
    >services, which has been working great. I've received a new requirement
    >that I need to support Integrated Windows Authentication and not allow
    >Anonymous access on the web site or the web services. For the web site, I
    >can uncheck the "Enable anonymous access" and update the web.config and I
    >can authenticate there fine. But when the web app calls a web service, I
    >get the error: "The HTTP request is unauthorized with client

    authentication
    >scheme 'Anonymous'. The authentication header received from the server was
    >'Negotiate,NTLM'." What am I missing?
    >
    >Configuration:
    >The web site and web services run under an application pool with a domain
    >user identity.
    >
    >Client Configuration:
    >
    ><?xml version="1.0" encoding="utf-8" ?>
    ><configuration>
    > <system.serviceModel>
    > <bindings>
    > <wsHttpBinding>
    > <binding name="WSHttpBinding_IService"
    >closeTimeout="00:01:00"
    > openTimeout="00:01:00" receiveTimeout="00:10:00"
    >sendTimeout="00:01:00"
    > bypassProxyOnLocal="false" transactionFlow="false"
    >hostNameComparisonMode="StrongWildcard"
    > maxBufferPoolSize="524288"
    >maxReceivedMessageSize="65536"
    > messageEncoding="Text" textEncoding="utf-8"
    >useDefaultWebProxy="true"
    > allowCookies="false">
    > <readerQuotas maxDepth="32"
    >maxStringContentLength="8192" maxArrayLength="16384"
    > maxBytesPerRead="4096"

    maxNameTableCharCount="16384"
    >/>
    > <reliableSession ordered="true"
    >inactivityTimeout="00:10:00"
    > enabled="false" />
    > <security mode="Message">
    > <transport clientCredentialType="Windows"
    >proxyCredentialType="None"
    > realm="" />
    > <message clientCredentialType="Windows"
    >negotiateServiceCredential="true"
    > algorithmSuite="Default"
    >establishSecurityContext="true" />
    > </security>
    > </binding>
    > </wsHttpBinding>
    > </bindings>
    > <client>
    > <endpoint address="http://localhost/WCFTestService/Service.svc"
    > binding="wsHttpBinding"
    >bindingConfiguration="WSHttpBinding_IService"
    > contract="WCFTestService.IService"
    >name="WSHttpBinding_IService">
    > </endpoint>
    >
    Steven Cheng, Apr 22, 2009
    #2
    1. Advertising

  3. Larry

    Larry Guest

    Thanks for the reply Steven.

    With the product installation, the web app and the WCF services will usually
    be on separate machines, though it can be on single machines (especially for
    demos). The IIS version currently is 6.0, though I'm trying to get it to
    work on 7.0 as well (I've got IIS 6 management compatibility installed).
    The current security account is a domain user in the administrators group.
    Impersonate is not enabled (I also have web services talking to each other,
    so if this needs to be done, I need to do it between services as well).

    Larry

    ""Steven Cheng"" <> wrote in message
    news:...
    > Hi Larry,
    >
    > From your description, you have some WCF service which are called by
    > ASP.NET web application(which use windows integrated authentication).
    > However, the ASP.NET web page(call those WCF service) report
    > authentication
    > error, correct?
    >
    > According to the WCF service and client proxy(in asp.net) configuration,
    > I've got that your WCF service is configured with WSHttpBinding and use
    > the
    > default message layer security(with windows client credential type). In
    > such mode, the client-side proxy will automatically use the current
    > security account(of the current process/executing thread) as the client
    > security token) for the WCF service authentication if you haven't
    > explicitly specify a different account.
    >
    > So I'd like to confirm the execution environment of your ASP.NET web
    > application since that will affect the authentication b ehavior between
    > the
    > WCF service and the client running in the ASP.NET app.
    >
    > ** Is the ASP.NET web application running on the same server with WCF
    > service or they're hosted remotely
    >
    > ** What is the IIS version of the server that host ASP.NET web app? And
    > what is the current security account the ASP.NET web app(an the pages in
    > it) executing under? You can use the following code to output the
    > executing
    > account in ASP.NET page:
    >
    > Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
    >
    > ** have you enabled "impersonate" in your ASP.NET web app?
    >
    > All these will affect the authentication behavior between your ASP.NET WCF
    > client and the WCF service side.
    >
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >
    > Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 2 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions. Issues of this
    > nature are best handled working with a dedicated Microsoft Support
    > Engineer
    > by contacting Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    > ==================================================
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
    >
    >
    > --------------------
    >>From: "Larry" <>
    >>Subject: WCF and Integrated Windows Authentication
    >>Date: Wed, 22 Apr 2009 00:56:45 -0600
    >>
    >>I have an application with a web front-end and several web services. Some
    >>of the web services will call other web services. I've previously been
    >>using wsHttpBinding and certificates to connect to my IIS hosted wcf web
    >>services, which has been working great. I've received a new requirement
    >>that I need to support Integrated Windows Authentication and not allow
    >>Anonymous access on the web site or the web services. For the web site, I
    >>can uncheck the "Enable anonymous access" and update the web.config and I
    >>can authenticate there fine. But when the web app calls a web service, I
    >>get the error: "The HTTP request is unauthorized with client

    > authentication
    >>scheme 'Anonymous'. The authentication header received from the server was
    >>'Negotiate,NTLM'." What am I missing?
    >>
    >>Configuration:
    >>The web site and web services run under an application pool with a domain
    >>user identity.
    >>
    >>Client Configuration:
    >>
    >><?xml version="1.0" encoding="utf-8" ?>
    >><configuration>
    >> <system.serviceModel>
    >> <bindings>
    >> <wsHttpBinding>
    >> <binding name="WSHttpBinding_IService"
    >>closeTimeout="00:01:00"
    >> openTimeout="00:01:00" receiveTimeout="00:10:00"
    >>sendTimeout="00:01:00"
    >> bypassProxyOnLocal="false" transactionFlow="false"
    >>hostNameComparisonMode="StrongWildcard"
    >> maxBufferPoolSize="524288"
    >>maxReceivedMessageSize="65536"
    >> messageEncoding="Text" textEncoding="utf-8"
    >>useDefaultWebProxy="true"
    >> allowCookies="false">
    >> <readerQuotas maxDepth="32"
    >>maxStringContentLength="8192" maxArrayLength="16384"
    >> maxBytesPerRead="4096"

    > maxNameTableCharCount="16384"
    >>/>
    >> <reliableSession ordered="true"
    >>inactivityTimeout="00:10:00"
    >> enabled="false" />
    >> <security mode="Message">
    >> <transport clientCredentialType="Windows"
    >>proxyCredentialType="None"
    >> realm="" />
    >> <message clientCredentialType="Windows"
    >>negotiateServiceCredential="true"
    >> algorithmSuite="Default"
    >>establishSecurityContext="true" />
    >> </security>
    >> </binding>
    >> </wsHttpBinding>
    >> </bindings>
    >> <client>
    >> <endpoint
    >> address="http://localhost/WCFTestService/Service.svc"
    >> binding="wsHttpBinding"
    >>bindingConfiguration="WSHttpBinding_IService"
    >> contract="WCFTestService.IService"
    >>name="WSHttpBinding_IService">
    >> </endpoint>
    >>

    >
    Larry, Apr 22, 2009
    #3
  4. Larry

    Steven Cheng Guest

    Thanks for your reply Larry,

    So let's just assume the server topology to be remote based (asp.net web
    app and webservice hosted on separate machine).

    For IIS6, the worker process account should be the application pool
    account(configured for your application virtual directory), since you 're
    using a domain account(with out impersonate), then this domain account
    should be used as the security identity when your ASP.NET web app calling
    the remote WCF service(which use wshttpBinding and default message layer
    security).

    Also, if you found that the above behavior is what happened in your case,
    you can try explicitly specify a client credentials (when calling the WCF
    service in ASP.NET page) to see whether it works. e.g.

    ===============
    static void CallService()
    {

    ServiceReference1.WSHttpServiceClient client = new
    IISHostClientApp.ServiceReference1.WSHttpServiceClient();

    //use the current security identity
    client.ClientCredentials.Windows.ClientCredential =
    System.Net.CredentialCache.DefaultNetworkCredentials;

    //explicitly specify a credential
    //client.ClientCredentials.Windows.ClientCredential = new
    System.Net.NetworkCredential("username", "password", "domain");

    string ret = client.SayHello("steven");

    Console.WriteLine(ret);
    client.Close();
    }
    ===============

    You can also test the behavior via a console client(running on that ASP.NET
    web application host server) to watch the difference. If there is any
    findings or anything unclear on this, please feel free to post here.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .


    --------------------
    >From: "Larry" <>
    >References: <#>

    <>
    >Subject: Re: WCF and Integrated Windows Authentication
    >Date: Wed, 22 Apr 2009 10:06:35 -0600


    >Thanks for the reply Steven.
    >
    >With the product installation, the web app and the WCF services will

    usually
    >be on separate machines, though it can be on single machines (especially

    for
    >demos). The IIS version currently is 6.0, though I'm trying to get it to
    >work on 7.0 as well (I've got IIS 6 management compatibility installed).
    >The current security account is a domain user in the administrators group.
    >Impersonate is not enabled (I also have web services talking to each

    other,
    >so if this needs to be done, I need to do it between services as well).
    >
    >Larry
    >
    >""
    Steven Cheng, Apr 24, 2009
    #4
  5. Larry

    Larry Guest

    Steven,

    Thanks for the reply. Unfortunately, what you mentioned in your last
    response is how I am already doing things. You can see my config from my
    original posting. The web application and the web services all run under an
    application pool with a domain administrator. I also have to disable
    anonymous access in IIS. If I enable anonymous access, what I've done and
    what you mention works. But, it is a requirement to not allow anonymous
    access. Can I get this to work with windows authentication and message
    level security?

    Larry

    The problems is that as I stated in my original question, I can't allow
    anonymous access in IIS. What I
    ""Steven Cheng"" <> wrote in message
    news:...
    > Thanks for your reply Larry,
    >
    > So let's just assume the server topology to be remote based (asp.net web
    > app and webservice hosted on separate machine).
    >
    > For IIS6, the worker process account should be the application pool
    > account(configured for your application virtual directory), since you 're
    > using a domain account(with out impersonate), then this domain account
    > should be used as the security identity when your ASP.NET web app calling
    > the remote WCF service(which use wshttpBinding and default message layer
    > security).
    >
    > Also, if you found that the above behavior is what happened in your case,
    > you can try explicitly specify a client credentials (when calling the WCF
    > service in ASP.NET page) to see whether it works. e.g.
    >
    > ===============
    > static void CallService()
    > {
    >
    > ServiceReference1.WSHttpServiceClient client = new
    > IISHostClientApp.ServiceReference1.WSHttpServiceClient();
    >
    > //use the current security identity
    > client.ClientCredentials.Windows.ClientCredential =
    > System.Net.CredentialCache.DefaultNetworkCredentials;
    >
    > //explicitly specify a credential
    > //client.ClientCredentials.Windows.ClientCredential = new
    > System.Net.NetworkCredential("username", "password", "domain");
    >
    > string ret = client.SayHello("steven");
    >
    > Console.WriteLine(ret);
    > client.Close();
    > }
    > ===============
    >
    > You can also test the behavior via a console client(running on that
    > ASP.NET
    > web application host server) to watch the difference. If there is any
    > findings or anything unclear on this, please feel free to post here.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    >
    > --------------------
    >>From: "Larry" <>
    >>References: <#>

    > <>
    >>Subject: Re: WCF and Integrated Windows Authentication
    >>Date: Wed, 22 Apr 2009 10:06:35 -0600

    >
    >>Thanks for the reply Steven.
    >>
    >>With the product installation, the web app and the WCF services will

    > usually
    >>be on separate machines, though it can be on single machines (especially

    > for
    >>demos). The IIS version currently is 6.0, though I'm trying to get it to
    >>work on 7.0 as well (I've got IIS 6 management compatibility installed).
    >>The current security account is a domain user in the administrators group.
    >>Impersonate is not enabled (I also have web services talking to each

    > other,
    >>so if this needs to be done, I need to do it between services as well).
    >>
    >>Larry
    >>
    >>""

    >
    Larry, Apr 24, 2009
    #5
  6. Larry

    Steven Cheng Guest

    Thanks for your reply Larry,

    So the problem is actually due to "anonymous access" has been disabled on
    that directory. Unfortunately, so far the recommended way for WCF securing
    is either using transport layer or using message layer security. When the
    IIS virtual dir has disabled anonymous access, that means you have to
    follow tranport layer security (the IIS security setting is at transport
    layer ). Is it possible to allow "anonymous access" for that IIS
    application? Thus, we can still use windows authentication at message layer
    and get the client-side caller's security credentials.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.


    --------------------
    >From: "Larry" <>
    >Subject: Re: WCF and Integrated Windows Authentication
    >Date: Fri, 24 Apr 2009 10:43:48 -0600


    >Steven,
    >
    >Thanks for the reply. Unfortunately, what you mentioned in your last
    >response is how I am already doing things. You can see my config from my
    >original posting. The web application and the web services all run under

    an
    >application pool with a domain administrator. I also have to disable
    >anonymous access in IIS. If I enable anonymous access, what I've done and
    >what you mention works. But, it is a requirement to not allow anonymous
    >access. Can I get this to work with windows authentication and message
    >level security?
    >
    >Larry
    >
    >The problems is that as I stated in my original question, I can't allow
    >anonymous access in IIS. What I
    >""Steven Cheng"" <> wrote in message
    >news:...
    >> Thanks for your reply Larry,
    >>
    >> So let's just assume the server topology to be remote based (asp.net web
    >> app and webservice hosted on separate machine).
    >>
    >> For IIS6, the worker process account should be the application pool
    >> account(configured for your application virtual directory), since you 're
    >> using a domain account(with out impersonate), then this domain account
    >> should be used as the security identity when your ASP.NET web app calling
    >> the remote WCF service(which use wshttpBinding and default message layer
    >> security).
    >>
    >> Also, if you found that the above behavior is what happened in your case,
    >> you can try explicitly specify a client credentials (when calling the WCF
    >> service in ASP.NET page) to see whether it works. e.g.
    >>
    >> ====
    Steven Cheng, Apr 27, 2009
    #6
  7. Larry

    Larry Guest

    Thanks for looking into this Steven. It looks like I may change the host
    from IIS to a windows service (for more reasons that this issue). But out
    of curiosity, what is it about the anonymous access that WCF uses to make it
    a requirement? I'm just trying to understand this aspect of the
    communication more. If you could provide any links, documentation or book
    references that would be appreciated.

    Larry

    ""Steven Cheng"" <> wrote in message
    news:...
    > Thanks for your reply Larry,
    >
    > So the problem is actually due to "anonymous access" has been disabled on
    > that directory. Unfortunately, so far the recommended way for WCF securing
    > is either using transport layer or using message layer security. When the
    > IIS virtual dir has disabled anonymous access, that means you have to
    > follow tranport layer security (the IIS security setting is at transport
    > layer ). Is it possible to allow "anonymous access" for that IIS
    > application? Thus, we can still use windows authentication at message
    > layer
    > and get the client-side caller's security credentials.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >
    >
    > --------------------
    >>From: "Larry" <>
    >>Subject: Re: WCF and Integrated Windows Authentication
    >>Date: Fri, 24 Apr 2009 10:43:48 -0600

    >
    >>Steven,
    >>
    >>Thanks for the reply. Unfortunately, what you mentioned in your last
    >>response is how I am already doing things. You can see my config from my
    >>original posting. The web application and the web services all run under

    > an
    >>application pool with a domain administrator. I also have to disable
    >>anonymous access in IIS. If I enable anonymous access, what I've done and
    >>what you mention works. But, it is a requirement to not allow anonymous
    >>access. Can I get this to work with windows authentication and message
    >>level security?
    >>
    >>Larry
    >>
    >>The problems is that as I stated in my original question, I can't allow
    >>anonymous access in IIS. What I
    >>""Steven Cheng"" <> wrote in message
    >>news:...
    >>> Thanks for your reply Larry,
    >>>
    >>> So let's just assume the server topology to be remote based (asp.net web
    >>> app and webservice hosted on separate machine).
    >>>
    >>> For IIS6, the worker process account should be the application pool
    >>> account(configured for your application virtual directory), since you
    >>> 're
    >>> using a domain account(with out impersonate), then this domain account
    >>> should be used as the security identity when your ASP.NET web app
    >>> calling
    >>> the remote WCF service(which use wshttpBinding and default message layer
    >>> security).
    >>>
    >>> Also, if you found that the above behavior is what happened in your
    >>> case,
    >>> you can try explicitly specify a client credentials (when calling the
    >>> WCF
    >>> service in ASP.NET page) to see whether it works. e.g.
    >>>
    >>> ====

    >
    Larry, Apr 27, 2009
    #7
  8. Larry

    Steven Cheng Guest

    Thanks for your reply Larry,

    When you host WCF in IIS, the difference from other hosting scenario(like
    self host) is that IIS help provide the transport layer(http layer). And
    that also means all those IIS specific authentication is at transport
    layer. In such cases, you'll have the following reasonable security
    configuraion for your WCF service:

    1. Use the IIS provided transport security. You can basicHttpBinding, this
    is the simplest HTTP binding which completely conform to standard http
    communication also used by other ASP.NET web page and ASMX webservice. And
    by set security mode to "TransportCredentialsOnly", you can get the same
    behavior like an ASP.NET asmx webservice. So you can let IIS to help do the
    windows authentication here(over http protocol) , but no encrypt, signing
    is provided here.

    Or you can use https/SSL to ensure further encrypt and signing protection.


    2. Use message layer security. Then, the WCF use WS-* message layer
    protocols to ensure encrypt and signing protection. And
    authentication/credentials are also processed at message layer. We no
    longer rely on IIS to do the authentication. So in such cases, we need to
    turn off the IIS authentication(let all the request pass through). That's
    why we need to turn anonymous access on. We do all the authentication at
    WCF message layer.

    For reference, I would suggest the MSDN document's security reference on
    WCF:

    #Security Overview
    http://msdn.microsoft.com/en-us/library/ms735093.aspx

    And here are some web articles discussing on using the basic httpbinding
    with WCF:

    #How to: Configure WCF Service to Interoperate with ASP.NET Web Service
    Clients
    http://msdn.microsoft.com/en-us/library/ms731134.aspx

    #WCF : BasicHttpBinding compared to WSHttpBinding at SOAP packet level
    http://geekswithblogs.net/claeyskurt/archive/2008/04/22/121508.aspx

    #Recipe: WCF basicHttpBinding with Windows Authentication
    http://www.rickgaribay.net/archive/2007/04/04/recipe-wcf-basichttpbinding-wi
    th-windows-authentication.aspx

    If you have any specific questions ,please feel free to post here.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    --------------------
    >From: "Larry" <
    >Subject: Re: WCF and Integrated Windows Authentication
    >Date: Mon, 27 Apr 2009 11:28:56 -0600


    >
    >Thanks for looking into this Steven. It looks like I may change the host
    >from IIS to a windows service (for more reasons that this issue). But out
    >of curiosity, what is it about the anonymous access that WCF uses to make

    it
    >a requirement? I'm just trying to understand this aspect of the
    >communication more. If you could provide any links, documentation or book
    >references that would be appreciated.
    >
    >Larry
    >
    >""Steven Cheng"" <> wrote in message
    >news:...
    >> Thanks for your reply Larry,
    >>
    >> So the problem is actually due to "anonymous access" has been disabled on
    >> that directory. Unfortunately, so far the recommended way for WCF

    securing
    >> is either using transport layer or using message layer security. When the
    >> IIS virtual dir has disabled anonymous access, that means you have to
    >> follow tranport layer security (the IIS security setting is at transport
    >> layer ). Is it possible to allow "anonymous access" for that IIS
    >> application? Thus, we can still use windows authentication at message
    >> layer
    >> and get the client-side caller's security credentials.
    >>
    >> Sincerely,
    >>
    >> Steven Cheng
    >>
    >> Microsoft MSDN Online Support Lead
    >>
    >>
    >> Delighting our customers is our #1 priority. We welcome your comments and
    >> suggestions about how we can improve the support we provide to you.

    Please
    >> feel free to let my manager know what you think of the level of service
    >> provided. You can send feedback directly to my manager at:
    >> .
    >>
    >> ==================================================
    >> Get notification to my posts through email? Please refer to
    >>

    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >>
    >>
    >> --------------------
    >>>From: "Larry" <>
    >>>Subject: Re: WCF and Integrated Windows Authentication
    >>>Date: Fri, 24 Apr 2009 10:43:48 -0600

    >>
    >>>Steven,
    >>>
    >>>Thanks for the reply. Unfortunately, what you mentioned in your last
    >>>response is how I am already doing things. You can see my config from my
    >>>original posting. The web application and the web services all run under

    >> an
    >>>application pool with a domain administrator. I also have to disable
    >>>anonymous access in IIS. If I enable anonymous access, what I've done

    and
    >>>what you mention works. But, it is a requirement to not allow anonymous
    >>>access. Can I get this to work with windows authentication and message
    >>>level security?
    >>>
    >>>Larry
    >>>
    >>>The problems is that as I stated in my original question, I can't allow
    >>>anonymous access in IIS. What I
    >>>""Steven Cheng"" <> wrote in message
    >>>news:...
    >>>> Thanks for your reply Larry,
    >>>>
    >>>> So let's just assume the server topology to be remote based (asp.net

    web
    >>>> app and webservice hosted on separate machine).
    >>>>
    >>>> For IIS6, the worker process account should be the application pool
    >>>> account(configured for your application virtual directory), since you
    >>>> 're
    >>>> using a domain account(with out impersonate), then this domain account
    >>>> should be used as the security identity when your ASP.NET web app
    >>>> calling
    >>>> the remote WCF service(which use wshttpBinding and default message

    layer
    >>>> security).
    >>>>
    >>>> Also, if you found that the above behavior is what happened in your
    >>>> case,
    >>>> you can try explicitly specify a client credentials (when calling the
    >>>> WCF
    >>>> service in ASP.NET page) to see whether it works. e.g.
    >>>>
    >>>> ====

    >>

    >
    >
    >
    Steven Cheng, Apr 28, 2009
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    0
    Views:
    665
  2. Brett Smith
    Replies:
    2
    Views:
    441
    Brett Smith
    Oct 26, 2004
  3. Will
    Replies:
    5
    Views:
    2,595
  4. Simon
    Replies:
    0
    Views:
    991
    Simon
    Oct 13, 2009
  5. Cindy Lee
    Replies:
    1
    Views:
    2,063
    Mr. Arnold
    Mar 19, 2010
Loading...

Share This Page