WCF 4 Rest Service on IIS Developer Express, Authentication Issue - wcf

When I host the "WCF 4 Rest Service Template" project (from template) in IIS Developer Express I get the following:
IIS specified authentication schemes 'IntegratedWindowsAuthentication, Anonymous', but the binding only supports specification of exactly one authentication scheme. Valid authentication schemes are Digest, Negotiate, NTLM, Basic, or Anonymous. Change the IIS settings so that only a single authentication scheme is used.
I have not changed any configuration explicitly other than setting automaticFormatSelectionEnabled to false in order to return JSON:
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<standardEndpoints>
<webHttpEndpoint>
<!--Configure the WCF REST service base address via the global.asax.cs file and the default endpoint
via the attributes on the <standardEndpoint> element below-->
<standardEndpoint name=""
helpEnabled="true"
automaticFormatSelectionEnabled="false"
/>
</webHttpEndpoint>
</standardEndpoints>
</system.serviceModel>
If the endpoint configuration not being set explicitly is the issue then how would I do so for this kind of service, in order to set the authentication scheme for the service explicitly to avoid this issue with iis developer express?
Note: I have the following assemblies Microsoft.Web.dll & Microsoft.Web.Administration.dll in the web service projects /bin folder of the application as described in workaround for hopsting WCF services here on the iss team blog:
http://blogs.iis.net/vaidyg/archive/2010/07/21/wcf-workaround-for-webmatrix-beta.aspx

You will need to disable the authentication scheme that is not needed, my guess Windows authnetication. So:
Launch Notepad
Open in Notepad file: %userprofile%\Documents\IISExpress8\config\applicationhost.config
Search for <windowsAuthentication
Change the enabled attribute from
true to false
Save
That will disable Windows Authentication for all sites, you could alternatively add a location path at the bottom of the file right before the last </configuration> line for the specific site (YourSite in this case) add:
<location path="YourSite" overrideMode="Allow">
<system.webServer>
<security>
<windowsAuthentication enabled="false" />
</security>
</system.webServer>
</location>
This will only disable that for the specific site.

Related

Web API Windows Authentication hosting in IIS

I am working on WEB API Windows Authentication. I have added below config in web.config
Getting this issue:
This configuration section cannot be used at this path.
This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false"
Please help me on this. Please provide steps how to achieve window authentication in web api
The reason why this error encounters is probably because of the
settings to enable windowsauthentication in IIS via the
web.config file. To resolve this you have to adjust the applicationhost.config file of the IIS server. You need to tell IIS that his own configuration may be overwritten:
For IIS Express follow these instructions
For IIS Server follow 'section applicationhost.config'
Below steps (simple scenario) to allow windows authentication
Assure the webapi project is using windows authentication.
<system.web>
<authentication mode="Windows"></authentication>
</system.web>
Set IIS to windowsAuthenthication and nothing else by configuring the config file
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="false"/>
</authentication>
</security>
</system.webServer>
Adjust the applicationhost.config of IIS like described above.

Azure Accelerator for Web Roles & serviceHostingEnvironment aspNetCompatibilityEnabled="true"

I'm not sure if this problem is specific to Accelerator for Web roles (WAAWR: http://waawebroles.codeplex.com/)
Edit: I have confirmed this error is only thrown in my WAAWR application - if I deploy the same code as a stand alone webrole this error is not thrown.
I'm trying to run WCF Routing / clean urls on an application that is being deployed via WAAWR. This feature requires asp .net compatibility mode. Here is my config section:
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true">
<baseAddressPrefixFilters>
<add prefix="http://api.mydomain.com"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<standardEndpoints>
<webHttpEndpoint>
<standardEndpoint name="" helpEnabled="true" automaticFormatSelectionEnabled="true"/>
</webHttpEndpoint>
</standardEndpoints>
</system.serviceModel>
I've been stuck on this error for a couple of hours:
System.IO.FileLoadException: Filename:
\?\C:\Resources\directory\XXXXXXXXXXXXXXXXXXXXXXX\web.config
Line number: 74 Error: This configuration section cannot be used at
this path. This happens when the section is locked at a parent level.
Locking is either by default (overrideModeDefault="Deny"), or set
explicitly by a location tag with overrideMode="Deny" or the legacy
allowOverride="false". at
Microsoft.Web.Administration.Interop.IAppHostAdminManager.GetAdminSection(String
bstrSectionName, String bstrPath) at
Microsoft.Web.Administration.WebConfigurationManager.GetSectionInternal(String
siteName, String virtualPath, String sectionPath, Type sectionType)
At first I thought that the apps you deploy via the web role host were sub-directories/virtual directories, so I threw this config into the .config file of the deploy host application itself - but that didn't do the trick. I remote desktop-ed in to see what's going on and it looks like each application deployed via the host is it's own application under IIS in its own right. Also when you explore the app from IIS manager, the apps aren't event located on the same drive as the deploy host. So I'm not sure why this error is being thrown.
Any ideas out there?
Found my answer here:
http://cennest.wordpress.com/2010/09/20/azure-tip-wcf-4-0-servicerouting-in-azure/
Not sure why it works find with a normal role & you have to add the section declaration for an child application - but happy it's working!

Running a .net 4.0 WCF data service on a subdomain

I have two domains running my WCF data services:
a) http://www.domain-a.com/
b) http://api.domain-b.com/
When I address my service like this:
http://domain-a.com/odata.svc - IT WORKS.
When I address my service like this:
http://www.domain-a.com/odata.svc - I GET THE FOLLOW EXCEPTION:
Message: Service 'cf.Svc.odata_v0' has
zero application (non-infrastructure)
endpoints. This might be because no
configuration file was found for your
application, or because no service
element matching the service name
could be found in the configuration
file, or because no endpoints were
defined in the service element.
ExceptionStackTrace: at
System.ServiceModel.Description.DispatcherBuilder.EnsureThereAreApplicationEndpoints(ServiceDescription
description) at
System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription
description, ServiceHostBase
serviceHost) at
The problem, is that I need moving forward to run my service on:
http://api.domain-b.com/ and I do not have the option to reference it as http://domain-b.com/ because the root domain is already in use.
I even tried downloading the WCF Data Services Toolkit (http://wcfdstoolkit.codeplex.com/releases/view/65119) april release thinking I'd get around the problem with setting up a nice clean route - like:
http://api.domain-b.com/odata
But I'm still getting this error. Can anyone tell me what's going on?
My web.config looks like below - I am also running WCF Rest Services that do not have any issues in the same application.
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<standardEndpoints>
<webHttpEndpoint>
<standardEndpoint name="" helpEnabled="true"
automaticFormatSelectionEnabled="true" />
</webHttpEndpoint>
</standardEndpoints>
</system.serviceModel>

Biztalk gets MessageSecurityException with WCF-WsHTTP endpoint

When Biztalk 2009 calls a regular ASP.NET webservice via an WS BasicHTTP adapter, it gets a System.ServiceModel.Security.MessageSecurityException: the HTTP request is unauthorized with client authentication scheme "Anonymous". The authentication header received from the server was : Negotiate NTLM".
The webservice is hosted in IIS (7.5), with anonymous access disabled, and Windows Authentication enabled.
Your send port needs to be configured to use NTLM security, as that appears to be what the web service requires.
Open the send port's configuration, open the transport type's (WCF-BasicHttp) configuration, and go to the Security tab. There, set the security mode to Transport. That will allow you to set the Transport client credential type to Ntlm.
This will cause BizTalk to authenticate to the web service using NTLM. It will use the account of the BizTalk host in which your send port is running. If that account does not have access to the web service, then you'll either need to grant it access or look at alternatives, such as switching from NTLM to Basic (which allows you to specify the credentials under that same Security tab). A discussion about this issue is here.
Of course, you did mention that you configured the web service for Windows Authentication, so you can also try setting the Transport client credential type to Windows. That should still use the BizTalk host process's account, though, just like NTLM.
FWIW here's a paste of a WCF basicHttpBinding exposed to BizTalk 2009
<services>
<service ... >
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="binding4BizTalk"
bindingNamespace="xxx"
... >
<!-- Delete the identity tag here -->
</endpoint>
And then under the bindings
<bindings>
<basicHttpBinding>
<binding name="binding4BizTalk" ...>
<security mode="None" />
Hope is of some use?

WCF Http Bindings, Require SSL

I have the following binding I'm using with my wsHttpBinding webservice.
<binding name="wsHttpConfig">
<security>
<transport clientCredentialType="None"/>
</security>
</binding>
The issue is that it allows for the client to connect using either Http or Https. I would like to require them to use SSL. I tried adding the following:
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true"
requireSSL = "true"/>
</webServices>
</scripting>
</system.web.extensions>
But it had no effect; client could still connect with Http. I then tried checking the "Require SSL" in the IIS7 SSL Settings and had client certificates radio set to Accept. Now, when I try to view the service I am getting the error "Could not find a base address that matches scheme http for the endpoint with binding WSHttpBinding. Registered base address schemes are [https]."
Anyone know exactly how to fix this error? I have been googling for the last 3 hours trying 500 different combinations (not 500, but too many to list) and could not get anything to run.
For anyone stumbling across this one from Google, Bing (Bingle, Yangle?) then take a look at a blog post a put together to help others trying to run a secure AuthenticationService in a test environment.
http://www.lukepuplett.com/2010/07/setting-up-wcf-over-ssl-on-iis-7x.html
And good luck!
Have you read this msdn post?
You must either change
binding="mexHttpBinding"
to
binding="mexHttpsBinding"
or else add an http base address in addition to the https base address. (Right now the metadata endpoint is trying to get hosted on http, rather than https, and there's no base address for that.)
Have you correctly configured your endpoint?
Have you tried dynamically configuring the base address?