How to expose WCF service with Basic and Windows authentication options, so Negotiation works -


Some clients should be able to use the original authentication from our WCF SOAP services, while others use Windows authentication We will usually host our services in IIS, although we provide a less developed Windows service hosting option.

I understand that it is not possible to configure an endpoint to support both native and Windows authentication. Therefore, we have two finishing points per service.

  & lt; Endpoint address = "binding =" basic "httbinding" binding configuration = "basic binding" contract = "some content" binding namespace = "http: // www somewhere .com / something" /> endpoint address = "Win" binding = "basicHttpBinding" binding configuration = "Windowsbinding" contract = "somecontract" binding namespace = "http://www.somewhere.com/Something" /> ... & lt; binding & gt; LT; basicHttpBinding & gt; & lt; bond name = "basicbending" & gt; & lt; security mode = "transport cray Subscriptions only "& gt; Transport Customer Credential Type =" Basic "/>   gt; Binding & gt; & lt; / binding & gt; ; & Lt; binding name = "Windows BINDING" & gt; Safety Mode = "Transport Credential Only" & gt; & lt; Transport Customer Credential Type = "Windows" /> & lt; Message Client CredentialType = "UserName" /> & lt; / safety & gt; & lt; / binding & gt; & lt; / basicHttpBinding & gt; & lt; / binding & gt;  

This is the only Web application in IIS that will enable both basic and Windows authentication in the web application (none of the above bindings will work).

When a client uses a Windows-certified endpoint (with "win" at the end of the URL), it usually works fine when there is no information about any authentication in the initial request , There is an interaction between the customer and the IIS, they are arranged on Windows authentication and everything goes well.

When a customer uses the original-certified endpoint, "win" at the end of the URL), it works if the authorization HTTP header contains the right encoded credentials in it, however, if they are initial If you do not include any authentication information in the request, then the selection of conversation Windows authentication ends. It receives previous requests of IIS security, but WCF then refuses the request, as it is going to an original-certified endpoint.

I am really unconscious about what is happening in the talks. But I think that IIS offers all the authentication methods enabled for web applications (i.e. original and Windows), even though the specific WCF endpoint URL for the request only supports Basic.

I would like to know if anything in IIS can be done to communicate with the correct answer: i.e., if the request is at the original-certified endpoint, then the customer is required to use the basic Tell, of course, we still want to negotiate to end the selection of Windows, when the request went to the Windows-certified endpoint

If it is not so, do you think that it would be better to focus our attention on the Windows service-hosted version of the services?

Last Note : We use Basic with HTTP for some internal uses, but we know that this is an insecure combination. Therefore we usually turn on HTTPS for production use; I have left it, for simplicity.

Yes, the client credentials type = "InheritedFormHost" fixes the problem for me. This, new to Net 4.5, means that now one endpoint URL can be used for more than one authentication type. IIS settings control is allowed to authenticate, which means it is no longer possible to get IIS and WCF settings in conflict.


Comments