Configure WCF to ignore authentication requirements inside IIS - wcf

Scenario:
Two websites (example.com, admin.example.com) that share the same wwwroot folder.
example.com allows only anonymous access
admin.example.com allows only windows authentication.
/Service/Awesome.svc returns a json object
Accessing the Awesome service using example.com works, while admin.example.com throws a NotSupportedException; "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"
multipleSiteBindingsEnabled="true" />
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="jsonBehavior">
<enableWebScript />
</behavior>
</endpointBehaviors>
</behaviors>
<services>
<service name="WcfServices.AwesomeService"
behaviorConfiguration="serviceBehavior">
<endpoint address="" binding="webHttpBinding"
contract="WcfServices.IAwesomeService"
behaviorConfiguration="jsonBehavior" />
</service>
</services>
</system.serviceModel>
How do I configure WCF to ignore the authentication requirement? I want the same behavior as if this were a web service or handler, just execute and return the awesome json object.

I think you're out of luck here. Give AWesome.svc anonymous access, and give anon access a user account that has no access to sensitive resources.

It sounds like you have two copies of the service, one under the website example.com and the other under admin.example.com. If admin.example.com needs IIS integrated (challenge/response) authentication then you're WCF service binding needs to be in Transport mode because IIS requires all admin.example.com resources to be Windows authentication. Try this configuration:
<bindings>
<basicHttpBinding>
<binding name="Binding1">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
If this doesn't work for you, you may want to try hosting the services in their own virtual directy so they are not at the mercy of what the website needs for security.
Good Luck.

Related

WCF Rest - mixing HTTP and HTTPS in one ServiceContract

I currently have a Http Rest WCF4 service, defined by the ServiceContract IEventService which is exposed only over HTTP.
I have been tasked with making some of the OperationContracts to work only over HTTPS So I have split those methods into a seperate ServiceContract called IEventServiceHTTPS
Hosting this on my dev box using IIS7.5 with a self-signed certificate, the methods which are part of the IEventServiceHTTPS are called fine over HTTPS and not over HTTP, as expected.
However the HTTP methods exposed by IEventService now do not work.
I get the following when trying to access the HTTP methods:
HTTP Error 403.4 - Forbidden
The page you are trying to access is secured with Secure Sockets Layer (SSL).
web.config with my changes:
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true">
<serviceActivations>
<add service="Api.EventService" relativeAddress="EventService.svc" factory="Api.UnityServiceHostFactory"/>
</serviceActivations>
</serviceHostingEnvironment>
<behaviors>
<serviceBehaviors>
<behavior name="Api.EventServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="WebBehavior">
<webHttp/>
</behavior>
</endpointBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="Api.EventServiceBehavior" name="Api.EventService">
<endpoint address="" binding="webHttpBinding" behaviorConfiguration="WebBehavior" bindingConfiguration="webBindingHTTP" contract="Api.IEventService"/>
**<endpoint address="" binding="webHttpBinding" behaviorConfiguration="WebBehavior" bindingConfiguration="webBindingHTTPS" contract="Api.IEventServiceHTTPS"/>**
</service>
</services>
<bindings>
<webHttpBinding>
<binding name="webBindingHTTP">
<security mode="None"></security>
</binding>
**<binding name="webBindingHTTPS">
<security mode="Transport">
</security>
</binding>**
</webHttpBinding>
</bindings>
</system.serviceModel>
Any help would be greatly appreciated, thanks.
I believe this error is originating because of IIS vdir [SSL settings]-> Require SSL -> true. If you want both http and https endpoints accessible in the same service then uncheck this setting as this will prevent you from doing unsecure http in the vdir.

Host custom WCF service with authentication within Umbraco

I've created a custom WCF service within Umbraco. The service resides in the Service folder and seems to be working fine (I can call it and it responds appropriately). Now I want the users to authenticate themselves when they call the service.
To do this I've added these lines into the web.config:
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true" />
<bindings>
<webHttpBinding>
<binding name="RaceManBinding">
<security mode="None" />
</binding>
</webHttpBinding>
</bindings>
<services>
<service name="RaceManagerAdmin.RaceManDataService" behaviorConfiguration="RaceManBehavior">
<endpoint address=""
binding="webHttpBinding"
contract="System.Data.Services.IRequestHandler" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="RaceManBehavior">
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="UmbracoMembershipProvider" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
When my service is called it should use the Umbraco membership provider to authenticate the users.
My client specificies this by creating a network credential object, like this:
var a = new RaceEntities(new Uri("http://localhost:40406/umbraco/Webservices/RaceManDataService.svc")) { Credentials = new NetworkCredential("admin", "secret") };
When I inspect the HTTPContext.Current I don't see any authenticated users.
What am I doing wrong?
Frederik
You'll need to enable ASP.Net Compatibility in order to access the identity via the HttpContext:
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
</system.serviceModel>
The answer to this question mentions an alternate method: How to access HttpContext.Current.User.Username in WCF service

WCF HTTPS and multiple sites in IIS

I am trying to configure IIS to host one set of binaries in two IIS websites. So we want to be able to access the urls:
http://external.example.com/ADataService
https://external.example.com/ADataService
http://internal.example.com/ADataService
internal.example.com and external.example.com are set up as different IIS sites to allow us to assign them different application pools. However when I added HTTPS support to our web.config, the internal HTTP support stopped working; http://internal.example.com/ADataService now returns the error:
Could not find a base address that matches scheme https for the endpoint with binding CustomBinding. Registered base address schemes are [http].
Here are the details of our web.config
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
<bindings>
<customBinding>
<binding name="jsonCustomMapper">
<webMessageEncoding webContentTypeMapperType="Service.JSONCustomMapper, Service" />
<httpTransport manualAddressing="true" />
</binding>
<binding name="httpsjsonCustomMapper">
<webMessageEncoding webContentTypeMapperType="Service.JSONCustomMapper, Service" />
<httpsTransport manualAddressing="true" />
</binding>
</customBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="jsonBehavior">
<webHttp />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="defaultBehavior">
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="Service.Service" behaviorConfiguration="defaultBehavior">
<endpoint address="json" binding="customBinding" bindingConfiguration="jsonCustomMapper" behaviorConfiguration="jsonBehavior" contract="Service.IJSONService" />
<endpoint address="json" binding="customBinding" bindingConfiguration="httpsjsonCustomMapper" behaviorConfiguration="jsonBehavior" contract="Service.IJSONService" />
</service>
</services>
</system.serviceModel>
From what I understand multipleSiteBindingsEnabled="true" and HTTPS do not mix, but I don't understand what resources they would be sharing? If we have internal.example.com and external.example.com hosted in different app pools, I thought they would have process isolation?
seems that adding an HTTPS certificate to the site for "internal.example.com" fixed the issue. Note: without this certificate we were not able to access internal.example.com over either HTTP or HTTPS, with certificate both mechanisms work correctly.

There was no end point listening for WCF AuthenticationService

I am trying to authenticate my user logging from windows phone 7 using
AuthenticationService WCF which is hosted in IIS 7.
I tried it without SSL and is working fine. But I want to convert it to
https.
The error I am getting is when I hit the call to this WCF from my WP7 emulator
is :
"EndpointNotFoundException"
However my web.config has the following details:
<system.serviceModel>
<services>
<service name="System.Web.ApplicationServices.AuthenticationService"
behaviorConfiguration="AuthenticationServiceTypeBehaviors">
<endpoint contract="System.Web.ApplicationServices.AuthenticationService"
binding="basicHttpBinding"
bindingConfiguration="userHttps" address="https://localhost:700/AuthenticationService.svc"
bindingNamespace="http://asp.net/ApplicationServices/v200"/>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="userHttps">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="AuthenticationServiceTypeBehaviors" >
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment
aspNetCompatibilityEnabled="true"/>
</system.serviceModel>
USING: AspNetSqlMembershipProvider and I am avoiding those details to make the point.
In my IIS 7, I have created an App pool and associated a self signed
certificate to the hosted WCF and in the SSL Settings options to "Require SSL
- selected" and "Ignore client certificates- checked"
I am able to browse to https://localhost:700/AuthenticationService.svc.
I was able to add this as a Service Reference in my phone, but when I call the
login method it is showing the error.
I have specified the end-point address and even then it is showing error.
Can anyone explain me how to debug this to get more details or any pointers to
solve "Using Authentication Service WCF via SSL"
EDIT 1 I tried using IP addresses and the svc URL when I tried accessing
the service through browser
svcutil.exe https://mcname.domain.local:700/AuthenticationService.svc?wsdl
EDIT 2 Tried disabling antivirus and firewalls and still no luck.
As per #Rajesh's comments, I installed the certificate in phone and it started working.
I tried all options of exporting .CER, .PFX and .P7B format and only P7B format worked for me to get it installed in phone.
The part of web.config file for enabling AuthenticationService WCF with SSL is
<services>
<service behaviorConfiguration="AppServiceBehaviors" name="System.Web.ApplicationServices.AuthenticationService">
<endpoint binding="basicHttpBinding" bindingConfiguration="defaultBasicHttpBinding"
bindingNamespace="http://asp.net/ApplicationServices/v200" contract="System.Web.ApplicationServices.AuthenticationService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AppServiceBehaviors">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"
multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true" requireSSL="true"/>
Steps followed to make it work: http://blogs.msdn.com/b/davidhardin/archive/2010/12/30/wp7-and-self-signed-ssl-certificates.aspx
The host name must be resolvable by the http agent via DNS, WINS,
hosts file, etc.
The SSL certificate must be known by a name that matches the host
name.
The trusted root certificate must be installed with the http
agent, i.e. on the phone.
Installing the certificate on to the WP7 emulator phone was the trickiest part. As mentioned earlier the P7B file was hosted on the IIS and URL was accessed via emulator browser which helped me to install the certificate on phone (Sorry! I forgot the reference link).
After the installation, the endpoint issue disappeared and it started to work. As this is not a permanent solution (because everytime emulator is closed the CERT needs to be reinstalled), I am working on http://wp7certinstaller.codeplex.com/ code to make it work when it is hosted in IIS for testing purposes.
Thanks #Rajesh for your help.

Custom UserName/Password authentication in IIS6

I have a WCF service I'm hosting in IIS6. I'm trying to set up custom username/password authentication using Transport level security. I've set up a test certificate and got a client to connect over SSL with no authentication specified, i.e:
<security mode="Transport">
<transport clientCredentialType="Basic" />
</security>
I've set up a custom validator with Message security and client credential type "UserName", but I'd like to incorporate this now with Transport level security. When I have my web.config set, when I try to view the WSDL, I get an error:
"Security settings for this service require 'Basic' Authentication but it is not enabled for the IIS application that hosts this service."
Here are the important parts of my web.config:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="UserNameBinding">
<security mode="Transport">
<transport clientCredentialType="Basic" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ServiceAuthenticationBehavior"
name="Service.WebServices.MyService">
<endpoint address="mex" binding="mexHttpsBinding" bindingConfiguration=""
name="mexBinding" contract="IMetadataExchange" />
<endpoint binding="wsHttpBinding" bindingConfiguration="UserNameBinding"
name="wsHttpBindingWithAuth" contract="Service.WebServices.IMyService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceAuthenticationBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate findValue="TestCert01" storeLocation="LocalMachine"
storeName="TrustedPeople" x509FindType="FindBySubjectName" />
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="Service.WebServices.ClientCredentialsValidator, Service.WebServices" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
Is there something I'm supposed to set in IIS6 to enable this?
In IIS, I started initially with the "Enable anonymous access" option enabled. I also tried enabling "Basic authentication (password is sent in clear text)" checkbox, but no success.
This post seems to suggest that Basic is only available for Windows account, with a 3rd party solution...
Basic Authentication with WCF REST service to something other than windows accounts?
I've been here myself, and ended up going with 1-legged openauth which worked nicely.
edit
this post sent me well on my way to a solution http://www.cleancode.co.nz/blog/523/oauth-dot-net
its worth mentioning the diff between 1 and 2-leg OAuth. 1-leg is where the client and the service both know the client's secret (password) for the client's account name which is used to encrypt and decrypt the authentication request (which all gets added to the querystring). with 2-legged, this is generated by a 3rd party such as google, facebook etc.