Windows Authentication for WCF service with Silverlight 5, IIS 7.5 - wcf

I have a Silverlight 5 Prism application with a (regular) WCF service in an ASP.net project. I'm using IIS 7.5 to host it on the localhost. I followed all the steps in
How to: Use Windows Authentication to Secure a Service for Silverlight Applications
How to: Host a Secure Service in ASP.NET for Silverlight Applications
but I can't get windows authentication to work. Whenever I turn off anonymous authentication in IIS, my application throws an The remote server returned an error: NotFound. exception because it doesn't find the WCF service.
When I try to update the service reference in Visual Studio I get the error Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.
When I turn on Anonymous Authentication the service works, but I don't get the windows user credentials. My browser (IE 8) is set to use integrated windows authentication and automatically logon in the local intranet.
What am I doing wrong?
Here is my IIS 7.5 configuration. The Application pool is running in Integrated mode:
web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" />
<authentication mode="Windows" />
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
</system.serviceModel>
</configuration>
ServiceReferences.ClientConfig:
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_ISecurityService" maxBufferSize="2147483647"
maxReceivedMessageSize="2147483647">
<security mode="TransportCredentialOnly" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:85/SecurityService/SecurityService.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ISecurityService"
contract="SecurityServiceReference.ISecurityService" name="BasicHttpBinding_ISecurityService" />
</client>
</system.serviceModel>
</configuration>

I am only guessing on the WCF part that this may not be set up properly for windows authentication. The wcf service needs to be configured to authenticate the requests from IIS with windows credentials as well. So, in that case, I would expect that there needs to be a behavior in the service demanding this. Check to see if you have configured these correcntly. servicecredentials and clientcredentials.
serviceCredentials
Security behaviours in WCF

Related

Hosting multiple WCF services with single certificate

I have three different WCF services deployed on server separately in there own application directory under "Default WebSites" in IIS. One of the service is deployed by me and two other services are deployed by some other client. There is a single server certificate deployed in IIS to which i have bind my service.
But when i try to access my service form https I get this error in popup:
"Address Mismatched.
The security certificate presented by this website was issued for a different website's address.
This problem might indicate an attempt to fool you or intercept any data you send to the server."
Thee web.config file of my service is as following
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<identity impersonate="false" />
</system.web>
<system.serviceModel>
<services>
<service name="WcfApp.Service">
<endpoint address="customer"
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="WCFApp.ICustomerService" />
<endpoint address="order"
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="WcfApp.IOrderService" />
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior >
<serviceMetadata httpsGetEnabled="True" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceThrottling maxConcurrentCalls="21" maxConcurrentSessions="50" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<directoryBrowse enabled="true" />
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
</configuration>
Interesting thing is that when I hit the following URL:
https://myserverurl.com/applicationfolder/service.svc?wsdl
to get the wsdl, it runs perfectly and returns me the wsdl description but the original call is not working.
Why am I getting the "Mismatched Address"? Is there need to add host base address? if yes how and where exactly to add it in web.config and is there need to add it in other two wcf services deployed? Is port conflicting with certificate? I am new to wcf please help me resolve this issue?
I am using .net 4.0, IIS 7.0, windows server 2008.
Thanks in advance.
The error message says (basically) that the certificate that you are using for your site doesn't match the DNS name that is being used (from the client's browser) to connect to the site.
My guess is that you are implementing virtual hosting; i.e. multiple services with different DNS names that are being served from one IIS instance. This won't work ... unless you either use a different certificate for each service, or you use a wild-card certificate that matches all of the service DNS names.
Apparently, name-based SSL virtual hosting is not supported by IIS prior to 7.0. This article describes how to configure it for IIS 7.0. But note that the names in the respective certificates must match the corresponding virtual host names ...
Note that the requirement that the hostnames and certificates must match is fundamental to SSL security. It is what allows the browser / user to know that it is talking to the expected server (based on the DNS name) and not some imposter site.

WCF Service hosted in IIS 7 using basicHttpBinding and TransportCredentialOnly fails

I am trying to configure a basic IIS 7 hosted WCF service that uses Windows Authentication to authorize users. I have seen many examples that demonstrate how to flow credentials using basicHttpBinding with <security mode="TransportCredentialOnly"> and SSL. When I configure my service to use TransportCredentialOnly, I get the following error if I try to view the svc file in IE:
Could not find a base address that matches scheme http for the
endpoint with binding BasicHttpBinding. Registered base address
schemes are [https].
I am hosting in IIS 7. SSL is configured with a valid certificate. Windows Authentication is on. Anonymous authentication is off. Application pool is ASP.Net v4.0 running under the ApplicationPoolIdentity
Here is the config file for my service:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
</roleManager>
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="svcTest" >
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" httpsHelpPageEnabled="true" httpHelpPageEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WCF_Test.Service1" behaviorConfiguration="svcTest">
<endpoint name ="Service1Endpoint"
address="EndpointTest"
binding="basicHttpBinding"
bindingConfiguration="BasicHttpEndpointBinding"
contract="WCF_Test.IService1">
</endpoint>
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
If I change the binding to use Transport instead of TransportCredentialOnly then I am able to view my service file in IE. I can then create a proxy to my web client and call a method on the service from my client and attempt to authorize the user from the service method using this code:
if(System.Web.Security.Roles.IsUserInRole(#"Admins"))
This code does not work because it uses the identity of the account running IIS on the server (IIS APPPOOL\ASP.NET v4.0) and not that of the user calling the web service from a web page.
How do I configure IIS 7 with a valid SSL certificate to use basicHttpBinding with security mode="TransportCredentialOnly"?
How do I flow my users Windows credentials client to the web service so I can authorize users on the web service using this code?
[PrincipalPermission(SecurityAction.Demand, Role = "Admins")]
or this code
if(System.Web.Security.Roles.IsUserInRole(#"Admins"))
Any help would be greatly appreciated.
Thank You
Probably the problem is in the configuration of IIS, before it gets to your code or your web.config.
If IIS has anonymous authentication turned on, the request coming into ASP.net will look like it came from the user identity of IIS.
In the IIS config you must turn off anonymous authentication and turn on windows authentication.
My guess is you need to use the basicHttp s Binding instead.

jsonp with wcf works with vs.net server but NOT on IIS

This is driving me nuts. I have a .net 4, wcf service that is outputting jsonp. It works using the built in web server with vs.net however if i try to host in iis7 on windows 7 64bit i don't get any response.
If I try to navigate to svc file while hosted in iis7 I get
"Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."
If trying to access via client jquery jsonp request i don't get any response from the service being hosted in iis7
So, the configuration of the service (web.config) is fine when hosted within vs.net web server (just doesn't work with iis)
Here is the config
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="webHttpBehavior">
<webHttp />
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="webHttpBindingWithJsonP" crossDomainScriptAccessEnabled="true" />
</webHttpBinding>
</bindings>
<services>
<service name="ServiceSite.CustomersService">
<endpoint address="" binding="webHttpBinding"
bindingConfiguration="webHttpBindingWithJsonP" contract="ServiceSite.CustomersService"
behaviorConfiguration="webHttpBehavior"/>
</service>
</services>
</system.serviceModel>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
The site must be ntlm/windows secured.
I added the following to the web.config bindings section
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm"/>
</security>
When browsing the svc file I now get Cross domain javascript callback is not supported in authenticated services
Really? Is this true jsonp is not supported?
This is probably symptomatic of misconfiguration of the web site. Go to Authntication feature of the website on the IIS Manager and make sure it is setup.
I'm pretty sure because of how JSONP cross domain works with today's shortcomings that you always have to implement your own custom security system.
I use SSL and HMAC security for JSONP cross domain authentication. I do the authentication myself on the service.
When doing JSONP you cannot set headers, or anything, on the request because it's done through adding tags, not an actual XMLHTTP request object.

WCF (.NET 4.0) + IIS 7 + Windows Authentication Error - "service require Windows Authentication but it is not enabled for the IIS application "

We have a simple WCF (on .NET 4.0) Service which uses Windows authentication and same is enabled on the IIS 7 Authentication feature. This works with same settings and same configuration on two servers, but on one of the server comes back with error Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service. I checked everything possible on web, and tried all the options like disabling other Authentication mechanisms etc. Nothing seems to be working. Could anyone point what can be the issue.
Again identical settigns on two servers is working perfectly on third server it has the issue.
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="ABCDbConnection" value="Data Source=xxx; Initial Catalog=sss;Integrated Security=True"/>
<add key="MetadataDbConnection" value="Data Source=xxx; Initial Catalog=sss;Integrated Security=True"/>
<add key="UsageEnabled" value="True"/>
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<protocolMapping>
<add scheme="http" binding="basicHttpBinding" bindingConfiguration="WindowsBasicHttpBinding"/>
</protocolMapping>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<dataContractSerializer maxItemsInObjectGraph="6553600"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="WindowsBasicHttpBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
Did any of the solutions in this thread work?
http://social.msdn.microsoft.com/Forums/en/wcf/thread/021babc6-2009-4ed9-81f4-ac48cc300c94
From this blog post, it mentioned this KB article.
If this error is returned and Windows
Authentication has been enabled in
IIS, it means there is an issue with
the supported network authentication
schemes for the website that the web
service is installed under. The most
likely cause is that it is configured
for NTLM only. We want to specify NTLM
and Negotiate.
Have you tried enabling Windows Authentication through the web.config using
<system.web>
....
<authentication mode="Windows" />
.....
</system.web>
There could be the possibility that one machine is inheriting this setting from a parent configuration file but not on the one throwing the error is not.
You can also verify that Anonymous Authentication is disabled like in the image below

Integrated Windows Authentication WCF Multiple Host Headers IIS 6 not working

I have a asp.net 2.0 web site with WCF service hosted inside it running on .NET 3.5 framework. The website is setup with Integrated Windows Authentication only. The web server is IIS 6 with load balancing on Windows 2003 Sp2 (2 servers). I am unable to access the WCF service (.svc) using the full url (http://myqa2.abcdefg.com/trxn/WCFTrxnService.svc). Also note that the server is configured with multiple host headers. The website is protected by siteminder. Initially I was getting an error
This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. Parameter name: item
So added the following config entry
<serviceHostingEnvironment>
<baseAddressPrefixFilters>
<clear/>
<add prefix="http://myqa2.abcdefg.com"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
That error went away, but now I am being prompted for login by the browser. For same website, I am able to access .aspx page. The login prompt is appearing only for .svc file.
Here is the binding / endpoint from config file that I am using.
<system.serviceModel>
<serviceHostingEnvironment>
<baseAddressPrefixFilters>
<clear/>
<add prefix="http://myqa2.abcdefg.com"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<bindings>
<basicHttpBinding>
<binding name="IISIntegratedAuthBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="TestWCFFromSL.Web.WCFTrxnServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpGetUrl="http://myqa2.abcdefg.com/fmc/WCFNotesService.svc"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="TestWCFFromSL.Web.WCFTrxnService" behaviorConfiguration="TestWCFFromSL.Web.WCFTrxnServiceBehavior">
<endpoint
address="http://myqa2.abcdefg.com/trxn/WCFTrxnService.svc"
binding="basicHttpBinding"
bindingConfiguration="IISIntegratedAuthBinding"
contract="TestWCFFromSL.Web.IWCFTrxnService" />
</service>
</services>
<!--<serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>-->
if a website is protected by SiteMinder, WCF / SOAP calls don't work. But a different solution to this problem is working.
The URL myqa2.abcdefg.com/trxn/WCFTrxnService.svc is protected by SiteMinder, but
myqa2/trxn/WCFTrxnService.svc is not protected by siteminder, Looks like SiteMinder only protects FQDN (Fully Qualified Domain Names). So I configured the application to call WCF service using short url instead FQDN. I also had to use crossdomainpolicy because the application considers myqa2.abcdefg.com and myqa2 as 2 seperate domains.