Windows authentication for WCF web services over Http

  2013-11-05

I’ve just spent good 3 hours trying to configure .svc enpoints to force Windows authentication over HTTP. Oh how I hate this WCF configuration madness.

The end result however was actually quite simple.

<configuration>
    <system.serviceModel>
        <behaviors>
            <endpointBehaviors>
                <behavior name="svcEndpoint">
                    <enableWebScript />
                </behavior>
            </endpointBehaviors>
            <serviceBehaviors>
                <behavior name="defaultService">
                    <serviceMetadata httpGetEnabled="true" />
                    <serviceDebug includeExceptionDetailInFaults="false" />
                    <serviceCredentials>
                        <windowsAuthentication allowAnonymousLogons="false" includeWindowsGroups="true" />
                    </serviceCredentials>
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <services>
            <service 
                name="MyApplication.Services.MyService" 
                behaviorConfiguration="defaultService">
                <endpoint
                    address=""
                    behaviorConfiguration="svcEndpoint"
                    binding="webHttpBinding"
                    bindingConfiguration="webBinding"
                    contract="MyApplication.Services.MyService" />
            </service>
        </services>
        <bindings>
            <webHttpBinding>
                <binding name="webBinding">
                    <security mode="TransportCredentialOnly">
                        <transport clientCredentialType="Windows" proxyCredentialType="Windows">
                        </transport>
                    </security>
                </binding>
            </webHttpBinding>
        </bindings>
    </system.serviceModel>
</configuration>

Whilst trying to make things work I’ve faced these errors:

  • The authentication schemes configured on the host (IntegratedWindowsAuthentication) do not allow those configured on the binding WebHttpBinding (“Anonymous”). Please ensure that the SecurityMode is set to Transport or TransportCredentialOnly. Additionally, this may be resolved by changing the authentication schemes for this application through the IIS management tool, through the ServiceHost.Authentication.AuthenticationSchemes property, in the application configuration file at the element, by updating the ClientCredentialType property on the binding, or by adjusting the AuthenticationScheme property on the HttpTransportBindingElement.
  • Could not find a base address that matches scheme https for the endpoint with binding WebHttpBinding. Registered base address schemes are [http].

Thankfully now they’re all gone.

22bugs.co © 2017. All rights reserved.