Search code examples
wcfwcf-bindingwcf-security

Getting an Security setting exception while accessing a WCF service

Following are binding configurations of my WCF service.

  • Anonymous access: off
  • Basic authentication: on
  • Integrated Windows authentication: off !!

support HTTP protocol .

I am getting an following exception while accessing my WCF service:

Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service. 

<system.serviceModel>

    <bindings>

          <basicHttpBinding>

                <binding name="MyBinding">

                      <security mode="TransportCredentialOnly">                           

                            <transport clientCredentialType ="Basic" />

                      </security>

                </binding>

          </basicHttpBinding>

    </bindings>

<services>

        <service behaviorConfiguration="WMWcfWebServiceLib.Service1Behavior"

          name="WMWcfWebServiceLib.WMWcfWebService">

              <endpoint address="" binding="basicHttpBinding" bindingConfiguration="MyBinding"

                contract="WMWcfWebServiceLib.IWMWebService">                    



              </endpoint>

              <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />

              <host>

                    <baseAddresses>

                          <add baseAddress="http://localhost:8731/Design_Time_Addresses/WMWcfWebServiceLib/Service1/" />

                    </baseAddresses>

              </host>

        </service>

  </services>

<behaviors>

  <serviceBehaviors>

    <behavior name="WMWcfWebServiceLib.Service1Behavior">

      <!-- To avoid disclosing metadata information, 

      set the value below to false and remove the metadata endpoint above before deployment -->

      <serviceMetadata httpGetEnabled="True"/>

      <!-- To receive exception details in faults for debugging purposes, 

      set the value below to true.  Set to false before deployment 

      to avoid disclosing exception information -->

      <serviceDebug includeExceptionDetailInFaults="False" />

    </behavior>

  </serviceBehaviors>

</behaviors>

Please Help!!

Edit

I am able to access the WCF service through the web browser with the following changes:

Changes the security mode to TransportCredentialOnly and Removed the Mex Endpoint, but now as obvious I am not able to create the proxy on the client side.

Please let me know where I am wrong ?

Solution

  • If you want to support HTTP only your configuration is not used at all because mode="Transport" demands HTTPS. First find why config is not used (probably wrong type name in service element). Next change security mode to TransportCredentialOnly. But be aware that TransportCredentialOnly + Basic authentication means that HTTP requests will contain plain text Windows user name and password. In most cases such implementation will not pass any security audit.

    Edit:

    You can create proxy without mex endpoint if you still support httpGetEnabled in service metadata behavior.