We Keep Coding

IIS Anonymous Authentication enabled but credentials required

We have a some web services hosted in IIS8 that were running fine with anonymous authentication set. Then a couple of days ago anonymous authentication was disabled in favour for windows authentication which made it impossible to connect to the web services. Now we have reverted to anonymous authentication but the site still asks for windows credentials:
The HTTP request is unauthorized with client authentication scheme
'Anonymous'. The authentication header received from the server was
'Negotiate,NTLM'.
What we have done is this:
in web.config:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="CustomHttpBinding" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="None">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
and in IIS Manager we only have Anonymous Authentication checked:
In the applicationHost.config file everything seems correct:
<location path="Path/WebServices">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" useKernelMode="true">
<providers>
<clear />
<add value="NTLM" />
<add value="Negotiate" />
</providers>
<extendedProtection tokenChecking="None" />
</windowsAuthentication>
<anonymousAuthentication enabled="true" />
<basicAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
App-pools, site, and server have all been restarted/recycled.
Where else should I look? Thanks.

I agree that everything looks correct from what you've shown. I would recommend reviewing all your visible configuration for any anonymous/Windows auth that may apply that you may not be seeing. To do this, in IIS Manager click on the Server on the Left, then select Configuration Editor. On the right, select Search Configuration. The search at the top only accepts "section names" so things like WindowsAuthentication and AnonymousAuthentication are good searches. Review each place in your config that may apply to your site/app.

It turned out that the DNS pointed to a different server than the one I was doing my changes in.

Simple WCF service not getting called after deploying on different machine, however works fine on my local system

I just tried to create a very simple wcf application. That is on a click of button i am trying to print "Hello World" on the page. I published the service and as again it works fine on my local system, but same when i try to deploy on server it doesn't. This application is damn simple, no complexities, not database connection, nothing. But still fails to call the service from the server. Checking on services,(Service1.svc -. Right Click -> Browse) works fine, but then why it fails to call through application, i don't know. Its getting rather more confusing now. Totally clueless on this. Posting all 3 necessary files used in the code.
web.config file :
<?xml version="1.0"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name ="ApplicationReturnString.Web.Service1.svc">
<endpoint address="" binding="basicHttpBinding"
contract="ServiceReference1.IService1"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
</configuration>
ClientAccessPolicy.xml file:
<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource include-subpaths="true" path="/"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
CrossDomain.xml file:
<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>
ServiceRefrence.ClientConfig file :
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IService1" maxBufferSize="2147483647"
maxReceivedMessageSize="2147483647">
<security mode="None" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:52731/Service1.svc" binding="basicHttpBinding"
bindingConfiguration="BasicHttpBinding_IService1" contract="ServiceReference1.IService1"
name="BasicHttpBinding_IService1" />
</client>
</system.serviceModel>
</configuration>

Thanks Roy & Nitin. Actually the issue was on setting up endpoint address in web.config file and also as the services was getting deployed in other machine, the URL of the application was getting changed. So i made some important changes given below: 1. Gave the endpoint address, endpoint name and Contract details in web.config file same as in ServiceRefrence.ClientConfig file. 2. Change the endpoint address in ServiceRefrence.ClientConfig without specific port details:; rather then ;and 3. Coded in the app to get the URI address of the machine where it executes so that wherever the app is deployed user has not to worry about the localhost address and its port details: Uri servUri = new Uri("../Service.svc", UriKind.Relative); EndpointAddress servAddr = new EndpointAddress(servUri); ServiceReferenceForSelect.ServiceForSelectClient objSelect = new ServiceForSelectClient("BasicHttpBinding_IService", servAddr);

iis7 wcf: on local computer I get 401 - Unauthorized: Access is denied due to invalid credentials

I am new to web services and I have following problem. I have a WCF service that is running in Windows Authentication mode on IIS 7.5 and Windows 2008 R2.
It works good when I call it directly from the IIS machine.
But when I try to call service from local computer then I get following error: 401 - Unauthorized: Access is denied due to invalid credentials.
The service was working on local computers for few days and suddenly it stopped (I am not sure but it is possible that some configuration was changed).
I call service directly from IExplorer: http://serveriis/ssopension/service.svc
web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>O8jBoF9YUW3sZtSN+L/Xxhzss=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>C+EeTszivHho8Ujk2oIQ==</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
<system.web>
<compilation targetFramework="4.0" />
<authentication mode="Windows" />
<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" />
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="SSO_Pension.ServiceBehavior" name="SSO_Pension.Service">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpEndpointBinding" name="BasicHttpEndpoint" contract="SSO_Pension.IService">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="SSO_Pension.ServiceBehavior">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<system.webServer>
<defaultDocument>
<files>
<add value="Service.svc" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

I found the solution on
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/c9239a89-fbee-4adc-b72f-7a6a9648331f/
To whoever this may help, this saved my life...
IIS 7 was difficult for figuring out why i was getting the 401 -
Unauthorized: Access is denied due to invalid credentials... until i
did this...
1.) Open iis and select the website that is causing the 401
2.) Open the "Authentication" property under the "IIS" header
3.) Click the "Windows Authentication" item and click "Providers"
4.) For me the issue was that Negotiate was above NTLM. I assume that there was some kind of handshake going on behind the scenes, but i was
never really authenticated. I moved the NTLM to the top most spot, and
BAM that fixed it.

Thanks man!
I've been searching everywhere for this, including these two articles:
http://blogs.msdn.com/b/distributedservices/archive/2009/11/10/wcf-calling-wcf-service-hosted-in-iis-on-the-same-machine-as-client-throws-an-authentication-error.aspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;926642
This solved my problem.

WCF: Using nettcp in an Silverlight 4.0 application with HTTPS

I have a Silverlight 4.0 application using nettcp working in HTTP. I then attempted to switch from http to https. This is where I started to run into issues. When I run the application I receive an Internet Explorer notification "Display Mixed Content?". If I click "Yes" then I receive an error in my application:
Could not connect to net.tcp://ServerName:4502/TestService.svc/netTcp. The connection attempt lasted for a time span of 00:00:01.2191219. TCP error code 10013: An attempt was made to access a socket in a way forbidden by its access permissions.. This could be due to attempting to access a service in a cross-domain way while the service is not configured for cross-domain access. You may need to contact the owner of the service to expose a sockets cross-domain policy over HTTP and host the service in the allowed sockets port range 4502-4534.
My ClientConfig is as follows:
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="NetTcpBinding_ITestService">
<binaryMessageEncoding />
<tcpTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="net.tcp://ServerName:4502/TestService.svc/netTcp"
binding="customBinding" bindingConfiguration="NetTcpBinding_ITestService"
contract="TestServer.ITestService" name="NetTcpBinding_ITestService"/>
</client>
</system.serviceModel>
</configuration>
My Web.config is as follows:
<netTcpBinding>
<binding name="netTcpBindingConfig">
<security mode="None" />
</binding>
</netTcpBinding>
</bindings>
<services>
<service name="TestService">
<endpoint address="netTcp" binding="netTcpBinding" bindingConfiguration="netTcpBindingConfig" contract="ITestService" />
<endpoint address="mex" binding="mexHttpsBinding" name="mex" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://ServerName:4502/TestService.svc" />
<add baseAddress="https://ServerName/TestService.svc" />
</baseAddresses>
</host>
</service>
</services>
At the Root of my server I have a file called clientaccesspolicy.xml:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*"/>
<domain uri="https://*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
<socket-resource port="4502-4530" protocol="tcp" />
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
The nettcp communication does not need to be secure, but other services in the application require security. Is it possible to get nettcp running in an HTTPS hosted application?

Configuring SSL (https) for ws2007FederationHttpBinding Endpoint 404 No Endpoint found

Another WIF related problem - can anyone point me in the direction of how to configure https in wcf for a ws2007FederationHttpBinding endpoint. I have the certificates and bindings all set-up in IIS, but whenever I try to connect to the endpoint I get a 404 error. My binding looks like this
<bindings>
<ws2007FederationHttpBinding>
<binding name="BindingConfigName">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false">
<issuerMetadata address="https://identity.localhost/issue/wstrust/mex" />
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
</claimTypeRequirements>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
Endpoint Looks Like
<endpoint address="https://services.localhost/MyService.svc" binding="ws2007FederationHttpBinding"
bindingConfiguration="BindingConfigName"
bindingNamespace="MyNamespace"
contract="IServiceContract">
</endpoint>
Really struggling to see what to do.
Matt