I'm using WCF and STS for security. I enabled IIS compression for the dynamic type thus
<dynamicTypes>
<add mimeType="text/*" enabled="true" />
<add mimeType="message/*" enabled="true" />
<add mimeType="application/x-javascript" enabled="true" />
<add mimeType="application/xml" enabled="true" />
<add mimeType="application/soap+xml" enabled="true" />
<add mimeType="application/xop+xml" enabled="true" />
<add mimeType="application/soap+msbin1" enabled="true" />
<add mimeType="*/*" enabled="false" />
</dynamicTypes>
and it works fine for metadata and STS service calls.
However for all the "regular" calls to the service I get a reply of type multipart/related containing the response and the security token together.
I'd like to get that response compressed if possible and I don't know how to do it. Setting the compression for everything
<add mimeType="*/*" enabled="true" />
does compress the response but setting it to
<add mimeType="multipart/related" enabled="true" />
doesn't.
The Content-Type of the response is
Content-Type: multipart/related; type="application/xop+xml";start="<http://tempuri.org/0>";boundary="uuid:cb4a14b1-e162-41ee-80b8-752744d327eb+id=136";start-info="application/soap+xml"
Cheers.
Related
we have STS service whihc provides SAML token within the organization for security reasons all apps should get this token. I am buiulding a WCF service which should accept a SAML token and validate the same before serving the request.
So far I have setup a Federationbinding [not sure though its intended requirement as my service serves only interal/intranet apps within the firewall. I managed to to hit my WCF by using SOAP UI and get the response as well while debugging. but, the strange thing is in the request I had to mask my SAML under security tag else it never works; I am wondering ius there any workaroun for this or this is intended use. as the Java clients will be consuming my WCF service.
<?xml version="1.0" ?>
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.30319.17929, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<appSettings>
<add key="EncryptionCertificateName" value="xxxx" />
<add key="AssertionSignatureCertificateName" value="xxxx" />
<add key="EnablePerformanceLog" value="false" />
<add key="Logging.Level" value="0" />
<add key="Logging.Active" value="True" />
</appSettings>
<runtime>
<gcServer enabled="true" />
<generatePublisherEvidence enabled="false" />
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="NHibernate" publicKeyToken="aa95f207798dfdb4" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-3.3.1.4000" newVersion="3.3.1.4000" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<system.web>
<compilation debug="true" targetFramework="4.5" optimizeCompilations="true" batch="true" maxConcurrentCompilations="8" />
<httpRuntime targetFramework="4.5" minFreeThreads="10" minLocalRequestFreeThreads="10" requestValidationMode="2.0" />
</system.web>
<system.net>
<defaultProxy enabled="false">
<proxy usesystemdefault="False" bypassonlocal="True" autoDetect="False" />
</defaultProxy>
<connectionManagement>
<add address="*" maxconnection="5000" />
</connectionManagement>
</system.net>
<system.serviceModel>
<diagnostics performanceCounters="All">
<messageLogging logMalformedMessages="true" logMessagesAtTransportLevel="true" />
<endToEndTracing propagateActivity="true" messageFlowTracing="true" />
</diagnostics>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceCredentials useIdentityConfiguration="true" />
<serviceAuthorization principalPermissionMode="Always" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true">
<serviceActivations>
<add relativeAddress="Service.svc" service="XX.XXX.BusinessService.Service.VaultService" factory="XX.XXXX.BusinessService.Service.WcfServiceFactory" />
</serviceActivations>
</serviceHostingEnvironment>
<bindings>
<ws2007FederationHttpBinding>
<binding name="ws2007Binding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" issuedKeyType="BearerKey" issuedTokenType="urn:oasis:names:tc:SAML:2.0:assertion" negotiateServiceCredential="false" />
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
<services>
<service name="XX.XXXX.BusinessService.Service.Service">
<host>
<baseAddresses>
<add baseAddress="https://localhost/XX.XXX.BusinessService.Service/" />
</baseAddresses>
</host>
<endpoint address="" binding="ws2007FederationHttpBinding" bindingConfiguration="ws2007Binding" contract="XX.XXXX.Contract.Service.ServiceContract.IService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<!--
To browse web app root directory during debugging, set the value below to true.
Set to false before deployment to avoid disclosing web app folder information.
-->
<directoryBrowse enabled="false" />
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="NHibernate" publicKeyToken="aa95f207798dfdb4" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-3.3.1.4000" newVersion="3.3.1.4000" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<system.identityModel>
<identityConfiguration saveBootstrapContext="true">
<!--<audienceUris>
<add value="VaultService.svc"/>
</audienceUris>-->
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add name="XX-XX-XX" thumbprint="XXX" />
</trustedIssuers>
</issuerNameRegistry>
<securityTokenHandlers>
<remove type="System.IdentityModel.Tokens.Saml2SecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<add type="XX.XXX.Extension.Security.MySecurityTokenHandler, XXX.XXX.Extension" />
</securityTokenHandlers>
<claimsAuthenticationManager type="XX.XXXX.Extension.Security.ClaimsAuthenticationManager, XX.XXXX.Extension" />
</identityConfiguration>
</system.identityModel>
<location path="health-check.axd">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<httpErrors existingResponse="PassThrough" />
</system.webServer>
</location>
</configuration>
the sample request that works from SOAP UI:
<soap:Envelope xmlns:soa="http://XXX.com.au/soa" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ing="http://schemas.datacontract.org/2004/07/XXX.Contract.Vault.DataContract" xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/IService1/DoWork</a:Action>
<a:MessageID>urn:uuid:b48f6fa8-f5f2-48d8-a06b-1a202c71ed30</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1"></a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2015-10-26T10:47:54.721Z</u:Created>
<u:Expires>2015-10-26T10:53:54.721Z</u:Expires>
</u:Timestamp>
<Assertion ID="_e058ad04-1d5e-47cf-9fbc-d65aecfaf9ef" IssueInstant="2015-10-24T06:22:37.086Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">...</Assertion>
</o:Security>
</soap:Header>
<soap:Body>
....
.....
</soap:Body>
</soap:Envelope>
you see that here the SAML assertion included under tag, if I remove this then service will not work says security message header not present error.
this seems to be security tag required since I am using federation binding and Identity model for tokens. anyway java service was able to consume the service after they wrap token in genrericXMLtoken which generates the security tag.
I'm trying to resize/crop the images stored on one of our servers and use them on another, also our server. Image resizer is running on www.aapg.org. Remote images are stored on assets.aapg.org.
Not sure why it doesn't work. I followed the process outlined in http://imageresizing.net/plugins/remotereader -- everything looks OK. I tried both a signed remote URL and human-friendly syntax, and neither worked for me.
Here are the plugins from the Web.config file I'm using:
<add name="MvcRoutingShim" />
<add name="DiskCache" />
<add name="SeamCarving" />
<add name="SimpleFilters" />
<add name="PdfRenderer" downloadNativeDependencies="true" />
<add name="DropShadow" />
<add name="WhitespaceTrimmer" />
<add name="PrettyGifs" />
<add name="AnimatedGifs" />
<add name="WebPEncoder" />
<add name="WebPDecoder" />
<add name="RemoteReader" />
<add name="CloudFront" />
And the remote reader plugin configuration ('xxxxxxxxxxxxxxxxxxxxxx' is obviously not what I'm using):
<remotereader signingKey="xxxxxxxxxxxxxxxxxxxxxx" allowAllSignedRequests="false" allowRedirects="5">
<allow domain="aapg.org" />
<allow domain="assets.aapg.org" />
</remotereader>
Can anyone tell me what I'm doing wrong? Or what I'm missing?
Thanks in advance!
After modifying my service to use federation (see web.config below) I'm having trouble on my client getting it connected. In all that I have read it seems I should be able to just create
var client = new MyService()
and then set username and password on that credential and then WCF takes care of the STS token stuff, but I do not have a constructor that takes 0 arguments, I only have one that takes a binding and endpoint address. I do not see a way to create the binding manually and would just like to use it the default way, before when I was just using a basicHTTPBinding with Https I was able to create the client with the default constructor I don't see why this does not follow same logic.
The service has web.config as such:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<listeners>
<add type="Microsoft.WindowsAzure.Diagnostics.DiagnosticMonitorTraceListener, Microsoft.WindowsAzure.Diagnostics, Version=2.2.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" name="AzureDiagnostics">
<filter type="" />
</add>
</listeners>
</trace>
</system.diagnostics>
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<machineKey decryption="AES" decryptionKey="[DecrpytKey]" validation="SHA1" validationKey="[ValidationKey]" />
</system.web>
<system.serviceModel>
<services>
<service name="MyService">
<endpoint address="" binding="wsFederationHttpBinding" bindingConfiguration="wsFedBinding" contract="MyService.IMyService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="https://myservice.cloudapp.net/MyService.svc" />
</baseAddresses>
</host>
</service>
</services>
<bindings>
<wsFederationHttpBinding>
<binding name="wsFedBinding">
<security mode="TransportWithMessageCredential">
<message>
<issuer address="http://mysts.com"/>
<issuerMetadata address="https://mysts.com/adfs/services/trust/mex" />
<claimTypeRequirements>
<add claimType="http://mysts.com/user/UserDomain" isOptional="true"/>
<add claimType="http://mysts.com/user/Alias" isOptional="true"/>
</claimTypeRequirements>
</message>
</security>
</binding>
</wsFederationHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false before deployment -->
<serviceMetadata httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials useIdentityConfiguration="true">
<!--Certificate added by Identity and Access Tool for Visual Studio.-->
<serviceCertificate findValue="[Thumbprint]" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint" />
</serviceCredentials>
<serviceSecurityAudit auditLogLocation="Application" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" suppressAuditFailure="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<!--
To browse web app root directory during debugging, set the value below to true.
Set to false before deployment to avoid disclosing web app folder information.
-->
<directoryBrowse enabled="false" />
</system.webServer>
<connectionStrings>
[Some connection strings]
</connectionStrings>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://myservice.cloudapp.net/MyService.svc" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://mysts.com">
<keys>
<add thumbprint="[Thumbprint]" />
</keys>
<validIssuers>
<add name="http://mysts.com" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="ChainTrust"/>
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
<appSettings>
<add key="ida:FederationMetadataLocation" value="https://mysts.com/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="ida:ProviderSelection" value="productionSTS" />
</appSettings>
</configuration>
I have tried the suggestions in this post but I can not get Windows Authentication working with IIS Express in Vision Studio 2010. Now I get following error:
Here are my applicationhost.config file entries:
...
<add name="WindowsAuthenticationModule" lockItem="false" />
...
<authentication>
<anonymousAuthentication enabled="true" userName="" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="false">
</iisClientCertificateMappingAuthentication>
<windowsAuthentication enabled="true" />
</authentication>
...
<sectionGroup name="authentication">
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="basicAuthentication" overrideModeDefault="Allow" />
<section name="clientCertificateMappingAuthentication" overrideModeDefault="Allow" />
<section name="digestAuthentication" overrideModeDefault="Allow" />
<section name="iisClientCertificateMappingAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />
</sectionGroup>
My web.config:
<system.web>
<authentication mode="Windows" />
</system.web>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
This is .NET 4
Make sure you have something like below in your applicationhost.config file
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
This file is probably in %HOMEPATH%\Documents\IISExpress\config\
I've had such a problem in VS 2013 with IIS 8.0 Express when I wanted to update Service Reference. A dialog popped up asking for username/password. A strange substring was added to the service url:
_vti_bin/ListData.svc
I started configuring windows authentization as mentioned in some posts in this page in applicationhost.config. Finally, the working configuration can't have Negotiate provider:
<windowsAuthentication enabled="true">
<providers>
<!--<add value="Negotiate" />-->
<add value="NTLM" />
</providers>
</windowsAuthentication>
And the anonymous authentication must be disabled:
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
Try adding the following to your web.config.
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
I am having a "dandy" time trying to get my WCF REST service hosted on IIS with SSL.
Environment: I am testing on a Windows7 box with a local IIS server. I have self-registered a certificate on my dev box and have:
Created a site in IIS for the purposes of exposing this WCF service via HTTPS.
Created an application under this site and named it "api"
Navigated to my site in IIS
Clicked 'Bindings...' in the Actions panel on the right.
Clicked 'Add'
Selected 'https' and selected my certificate.
A lot of the REST plumbing is handled via extensions in WCF using the WcfRestContrib library. While this has been useful from a programming point of view, there is little out there in the way of documentation when something goes wrong.
The error I am currently getting is:
Error Summary
HTTP Error 500.19 - Internal Server Error The requested page cannot
be accessed because the related
configuration data for the page is
invalid. Detailed Error Information
Module IIS Web Core
Notification BeginRequest Handler Not
yet determined Error Code 0x8007000d
Config Error Config
File \?\C:\inetpub\eMobile\api\web.config
Requested
URL https://172.xx.xx.254:443/api
Physical
Path C:\inetpub\eMobile\api Logon
Method Not yet determined Logon
User Not yet determined
Config Source
-1:
0:
I am really not surew what I am doing wrong here. So far I have tried resenting feature delegation for my site but that didn't work. Any ideas? Anything look odd in my web.config?
Thanks.
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="e1ConnectionString" connectionString="Data Source=USSV112;Initial Catalog=e1;Integrated Security=True"
providerName="System.Data.SqlClient" />
<add name="e2ConnectionString" connectionString="Data Source=USSV112;Initial Catalog=e2;Integrated Security=True"
providerName="System.Data.SqlClient" />
<system.web>
<httpRuntime maxRequestLength="204800" executionTimeout="3600"/>
<compilation debug="true" targetFramework="4.0">
</compilation>
<httpModules>
<add name="ServiceAnonymityModule" type="WcfRestContrib.Web.ServiceAnonymityModule, WcfRestContrib, Version=1.0.6.107, Culture=neutral"/>
</httpModules>
<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID"/>
</system.web>
<system.webServer>
<rewrite>
<rules>
<rule name="Users" stopProcessing="true">
<match url="^rest/users/(.*)$"/>
<action type="Rewrite" url="rest/Users.svc/{R:1}" />
</rule>
</rules>
</rewrite>
<validation validateIntegratedModeConfiguration="false" />
<modules>
<remove name="ServiceAnonymityModule"/>
<add name="ServiceAnonymityModule" type="WcfRestContrib.Web.ServiceAnonymityModule, WcfRestContrib, Version=1.0.6.107, Culture=neutral"/>
</modules>
</system.webServer>
<system.diagnostics>
<sources>
<source name="System.ServiceModel" switchValue="Information, ActivityTracing" propagateActivity="true">
<listeners>
<add name="messages" type="System.Diagnostics.XmlWriterTraceListener" initializeData="d:\Temp\WcfRestContribErrors.log" />
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging">
<listeners>
<add name="messages" type="System.Diagnostics.XmlWriterTraceListener" initializeData="d:\Temp\WcfRestContribMessages.log" />
</listeners>
</source>
</sources>
<trace autoflush="true"/>
</system.diagnostics>
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<extensions>
<behaviorExtensions>
<add name="webAuthentication" type="WcfRestContrib.ServiceModel.Configuration.WebAuthentication.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5" />
<add name="errorHandler" type="WcfRestContrib.ServiceModel.Configuration.ErrorHandler.BehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5" />
<add name="webFormatter" type="WcfRestContrib.ServiceModel.Configuration.WebDispatchFormatter.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5" />
<add name="webErrorHandler" type="WcfRestContrib.ServiceModel.Configuration.WebErrorHandler.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5" />
</behaviorExtensions>
</extensions>
<bindings>
<customBinding>
<binding name="HttpStreamedRest">
<httpTransport maxReceivedMessageSize="209715200" manualAddressing="true"/>
</binding>
<binding name="HttpsStreamedRest">
<httpsTransport maxReceivedMessageSize="209715200" manualAddressing="true"/>
</binding>
</customBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="Rest">
<webAuthentication authenticationHandlerType="WcfRestContrib.ServiceModel.Dispatcher.WebBasicAuthenticationHandler, WcfRestContrib"
usernamePasswordValidatorType="Engage.Mobile.WebServices.Runtime.SecurityValidator, Engage.Mobile.WebServices"
requireSecureTransport="false" source="E Mobile" />
<webFormatter>
<formatters defaultMimeType="application/json">
<formatter type="WcfRestContrib.ServiceModel.Dispatcher.Formatters.PoxDataContract, WcfRestContrib"
mimeTypes="application/xml,text/xml" />
<formatter type="WcfRestContrib.ServiceModel.Dispatcher.Formatters.DataContractJson, WcfRestContrib"
mimeTypes="application/json" />
<formatter type="WcfRestContrib.ServiceModel.Dispatcher.Formatters.FormUrlEncoded, WcfRestContrib"
mimeTypes="application/x-www-form-urlencoded" />
</formatters>
</webFormatter>
<errorHandler errorHandlerType="WcfRestContrib.ServiceModel.Web.WebErrorHandler, WcfRestContrib" />
<webErrorHandler logHandlerType="Engage.Mobile.WebServices.Runtime.LogHandler, Engage.Mobile.WebServices" returnRawException="true" exceptionDataContractType="" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
It looks very much like this thread
The proposed answer was
Right click the folder where your site is located: "C:\Users\NAME\SiteName" and selecting Properties
Select the Security tab and click on Edit
Add.. and type in "IIS_IUSRS"
I posted a similar answer in this thread, and there are similar answers across SO for these errors.
You have a rewrite element in your web.config, and without URL Rewrite installed IIS does not recognise this element and throws the error you currently see. Install URL Rewrite and this should work.
You can try enabling tracing on your service to see if the request is reaching the service or failing on IIS itself. If it is reaching your service then tracing would pick up the exact error on where it is failing. To enable tracing follow this link