Tuesday, February 9, 2010

WCF BasicHttpBinding and windows authentication on IIS 6.0

Recently I tried to host a WCF service on IIS 6.0 with basic http binding.
I needed to authenticate users with windows security mode.

I configured the WCF binding like below in the web.config file:

<binding name="BasicHttpWindowsBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />

Although I configured IIS so that anonymous authentication is not allowed and windows authentication is required, I got this error when I opened the service page with internet explorer:

System.NotSupportedException: security settings for this service require windows authentication but it is not enabled for the iis application that hosts this service

Well, it was disappointing because both service configuration and the IIS configuration was configured for windows authentication mode.

After a little struggle I found that basicHttpBinding's windows authentication is not supported by IIS 6.0.
Instead security mode of the binding should be set to Ntlm and you have to allow anonymous authentication in the IIS site settings.

Here is the complete config file:

<?xml version="1.0" encoding="UTF-8"?>

<compilation debug="true" />
<customErrors mode="Off" />
<authentication mode="Windows">
<allow users="somedomain\someuser"/>
<deny users="*"/>

<compiler language="c#;cs;csharp" extension=".cs" warningLevel="4" type="Microsoft.CSharp.CSharpCodeProvider, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<providerOption name="CompilerVersion" value="v3.5" />
<providerOption name="WarnAsError" value="false" />

<validation validateIntegratedModeConfiguration="false" />
<add name="SvcFile" path="*.svc" verb="*" type="System.ServiceModel.Activation.HttpHandler" resourceType="Unspecified" preCondition="integratedMode" />
<directoryBrowse enabled="true" showFlags="Date, Time, Size, Extension, LongDate" />

<binding name="BasicHttpWindowsBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" />
<service behaviorConfiguration="SomeServiceBehavior" name="SomeAssembly.SomeService">
<endpoint binding="basicHttpBinding" bindingConfiguration="BasicHttpWindowsBinding" contract="SomeAssembly.ISomeService">
<dns value="localhost" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
<add baseAddress="https://localhost/SomeAssembly/ISomeService.svc" />
<behavior name="SomeServiceBehavior">
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="True" />