I’ve just spent good 3 hours trying to configure .svc
enpoints to force Windows authentication over HTTP. Oh how I hate this WCF configuration madness.
The end result however was actually quite simple.
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="svcEndpoint">
<enableWebScript />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="defaultService">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<windowsAuthentication allowAnonymousLogons="false" includeWindowsGroups="true" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service
name="MyApplication.Services.MyService"
behaviorConfiguration="defaultService">
<endpoint
address=""
behaviorConfiguration="svcEndpoint"
binding="webHttpBinding"
bindingConfiguration="webBinding"
contract="MyApplication.Services.MyService" />
</service>
</services>
<bindings>
<webHttpBinding>
<binding name="webBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="Windows">
</transport>
</security>
</binding>
</webHttpBinding>
</bindings>
</system.serviceModel>
</configuration>
Whilst trying to make things work I’ve faced these errors:
- The authentication schemes configured on the host (
IntegratedWindowsAuthentication
) do not allow those configured on the bindingWebHttpBinding
(“Anonymous”). Please ensure that theSecurityMode
is set toTransport
orTransportCredentialOnly
. Additionally, this may be resolved by changing the authentication schemes for this application through the IIS management tool, through theServiceHost.Authentication.AuthenticationSchemes
property, in the application configuration file at the element, by updating theClientCredentialType
property on the binding, or by adjusting theAuthenticationScheme
property on theHttpTransportBindingElement
. - Could not find a base address that matches scheme https for the endpoint with binding
WebHttpBinding
. Registered base address schemes are [http].
Thankfully now they’re all gone.