We have a some web services hosted in IIS8 that were running fine with anonymous authentication set. Then a couple of days ago anonymous authentication was disabled in favour for windows authentication which made it impossible to connect to the web services. Now we have reverted to anonymous authentication but the site still asks for windows credentials:
The HTTP request is unauthorized with client authentication scheme
'Anonymous'. The authentication header received from the server was
'Negotiate,NTLM'.
What we have done is this:
in web.config:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="CustomHttpBinding" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="None">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
and in IIS Manager we only have Anonymous Authentication checked:
In the applicationHost.config file everything seems correct:
<location path="Path/WebServices">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" useKernelMode="true">
<providers>
<clear />
<add value="NTLM" />
<add value="Negotiate" />
</providers>
<extendedProtection tokenChecking="None" />
</windowsAuthentication>
<anonymousAuthentication enabled="true" />
<basicAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
App-pools, site, and server have all been restarted/recycled.
Where else should I look? Thanks.
I agree that everything looks correct from what you've shown. I would recommend reviewing all your visible configuration for any anonymous/Windows auth that may apply that you may not be seeing. To do this, in IIS Manager click on the Server on the Left, then select Configuration Editor. On the right, select Search Configuration. The search at the top only accepts "section names" so things like WindowsAuthentication and AnonymousAuthentication are good searches. Review each place in your config that may apply to your site/app.
It turned out that the DNS pointed to a different server than the one I was doing my changes in.
Related
I have a C# based WCF RESTful webservice in IIS7 running on Windows Server 2008. The webservice accepts XML data via HTTPS POST only. customBinding is being used. I have checked "Require SSL" in the SSL Settings option and also selected the option of "Require" in that same page.
During the SSL handshake, however, I do not see the server sending a CertificateRequest (ssl.handshake.type = 13) request from the Server. I can only see a (ServerHello, Certificate, ServerHelloDone). After the ServerHelloDone message there is a "Bad Certificate" message in the wireshark capture.
Can someone please help ? The relevant part of the binding in Web.Config file contents are as follows :
<bindings>
<customBinding>
...
<binding name="RawReceiveCapableHttps">
<webMessageEncoding webContentTypeMapperType="e000webapp1.RawContentTypeMapper, e000webapp1, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<httpsTransport manualAddressing="true" maxReceivedMessageSize="524288000" transferMode="Streamed" requireClientCertificate="true" />
<!-- security mode="Transport">
<transport clientCredentialType="Certificate" />
</security -->
</binding>
</customBinding>
</bindings>
I am trying to configure a basic IIS 7 hosted WCF service that uses Windows Authentication to authorize users. I have seen many examples that demonstrate how to flow credentials using basicHttpBinding with <security mode="TransportCredentialOnly"> and SSL. When I configure my service to use TransportCredentialOnly, I get the following error if I try to view the svc file in IE:
Could not find a base address that matches scheme http for the
endpoint with binding BasicHttpBinding. Registered base address
schemes are [https].
I am hosting in IIS 7. SSL is configured with a valid certificate. Windows Authentication is on. Anonymous authentication is off. Application pool is ASP.Net v4.0 running under the ApplicationPoolIdentity
Here is the config file for my service:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
</roleManager>
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="svcTest" >
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" httpsHelpPageEnabled="true" httpHelpPageEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WCF_Test.Service1" behaviorConfiguration="svcTest">
<endpoint name ="Service1Endpoint"
address="EndpointTest"
binding="basicHttpBinding"
bindingConfiguration="BasicHttpEndpointBinding"
contract="WCF_Test.IService1">
</endpoint>
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
If I change the binding to use Transport instead of TransportCredentialOnly then I am able to view my service file in IE. I can then create a proxy to my web client and call a method on the service from my client and attempt to authorize the user from the service method using this code:
if(System.Web.Security.Roles.IsUserInRole(#"Admins"))
This code does not work because it uses the identity of the account running IIS on the server (IIS APPPOOL\ASP.NET v4.0) and not that of the user calling the web service from a web page.
How do I configure IIS 7 with a valid SSL certificate to use basicHttpBinding with security mode="TransportCredentialOnly"?
How do I flow my users Windows credentials client to the web service so I can authorize users on the web service using this code?
[PrincipalPermission(SecurityAction.Demand, Role = "Admins")]
or this code
if(System.Web.Security.Roles.IsUserInRole(#"Admins"))
Any help would be greatly appreciated.
Thank You
Probably the problem is in the configuration of IIS, before it gets to your code or your web.config.
If IIS has anonymous authentication turned on, the request coming into ASP.net will look like it came from the user identity of IIS.
In the IIS config you must turn off anonymous authentication and turn on windows authentication.
My guess is you need to use the basicHttp s Binding instead.
I'm a new member in this fantastic website and this is my first question here ..
I wish I can find the solution..
I'm building a website and I need to secure the communications between clients and the server.
I should Use WCF in the implementation.
My project's requirements :
use WCF
binding: ws2007HttpBinding
security: HTTPS
client: Sign
I should use HTTPS for securing the communications and I should make the client sign the message (it's important).
I install certificates in both server and Client But I don't knoe how to make the clients sign the message.
I can't use message security in the wcf because I need HTTPS. Anyone can help me to know what is the TransportWithMessageCredential do for signing and how to implement such a thing??
Here is part of the app.config of the server:
<bindings>
<ws2007HttpBinding>
<binding name="ServiceWS2007HttpBindingConfg">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="Certificate" negotiateServiceCredential="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<services>
<service name="Service">
<endpoint address="https://MAHER-PC/EBPP/Service.svc" binding="ws2007HttpBinding"
bindingConfiguration="ServiceWS2007HttpBindingConfg" contract="IService" />
</service>
</services>
thanks....
Depends on what you're planning to sign.
A good place to start would be to have a look at setting the ProtectionLevel for your service in the service contract.
Information:
http://msdn.microsoft.com/en-gb/library/aa347692.aspx
How to:
http://msdn.microsoft.com/en-gb/library/aa347791.aspx
I have been googling everywhere I can possibly find (including here on Stackoverflow) to figure out an error I've got trying to deploy a WCF service to IIS 7.5 on Windows 7 x64 that runs only over SSL with basic HTTP authentication. I've got a site in IIS which has a binding to port 50443 for HTTPS with a self-signed cert. (I can't use the standard port 443, as we plan on deploying this to IIS on a server which is already running Tomcat which is listening on 80 and 443.)
This is the web.config:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="SSLBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="HelloWorldWcf.HelloWorldWcfService">
<endpoint name="HelloWorldWcf.HelloWorldWcfService"
address="https://mylaptop:50443/HelloWorld/Service1.svc"
binding="basicHttpBinding"
bindingConfiguration="SSLBinding"
contract="HelloWorldWcf.IHelloWorldWcfService"/>
<endpoint address="https://mylaptop:50443/HelloWorld/Service1.svc/mex"
binding="mexHttpsBinding"
contract="IMetadataExchange"/>
</service>
</services>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
If I browse to the service endpoint address and enter the basic authentication credentials manually, I get the following exception error message displayed in my browser:
The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: context.ListenUriBaseAddress
This is the same error I got trying to run a WCF client against a similar service, except that it ends with "Parameter name: via" (because the parameter name of the method that shows up in the call stack, "System.ServiceModel.Channels.TransportChannelFactory`1.ValidateScheme(URI via)", is in fact "via").
I've tweaked the server and client config files so many times I've lost track, but the web.config file above is my best guess so far--and it doesn't even work from a browser, much less a WCF client.
What do I need to do to access a WCF service hosted in IIS 7.5 on a nonstandard SSL port with basic HTTP authentication over HTTPS? Help! (& Thanks!)
try add this to binding
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None" realm=""/>
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>
Arrrrgh! Okay, the remaining steps to get it to work:
Replace my <security> node in the web.config with burning_LEGION's.
Eliminate the "mex" endpoint from the web.config. (This allowed me to get to the usual "You have created a service" friendly web page in my browser.)
Escaped the backslash in the "DOMAIN\username" string I was assigning to HelloWorldWcfServiceClient.ClientCredentials.UserName.UserName in the client C# code. (Did I say "arrrrgh!"? Man, is my face red.) This eliminated the error I got after steps 1 and 2:
System.ServiceModel.Security.MessageSecurityException: "The HTTP
request is unauthorized with client authentication scheme 'Basic'. The
authentication header received from the server was 'Basic
realm="mylaptop"'.---> System.Net.WebException: The remote server
returned an error: (401) Unauthorized.
I got the idea for step 2 from here which made me think mex was unhappy with HTTPS, and for step 3 from here where I noticed the user name was #"domain\username", not "domain\username".
+1 to burning_LEGION for the assist!
So, the unanswered questions: (1) why does the security/message node have any effect on a configuration that doesn't use message security (only transport security)? (2) what's the point of the mex endpoint if it just interferes with normal operation? (3) If mode="TransportCredentialOnly" doesn't work with HTTPS, why don't I get an error indicating this?
Is it possible to configure a WCF service to use sessions, and also not to require the client to send any credentials?
If so, how should the bindings section of the service's App.config file look?
See http://msdn.microsoft.com/en-us/library/system.servicemodel.channels.reliablesessionbindingelement.aspx to establish a session using the WS-ReliableMessaging spec. I don't see why this should require authentication.
<customBinding>
<binding name="BasicWithWSReliable">
<reliableSession />
<httpTransport authenticationScheme="Anonymous"/>
</binding>
</customBinding>