WCF - Windows authentication - Security settings require Anonymous

Rashack picture Rashack · Jun 22, 2009 · Viewed 74.7k times · Source

I am struggling hard with getting WCF service running on IIS on our server. After deployment I end up with an error message:

Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

I want to use Windows authentication and thus I have Anonymous access disabled. Also note that there is aspNetCompatibilityEnabled (if that makes any difference).

Here's my web.config:

<system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
    <bindings>
        <webHttpBinding>
            <binding name="default">
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows" proxyCredentialType="Windows"/>
                </security>
            </binding>
        </webHttpBinding>
    </bindings>
    <behaviors>
        <endpointBehaviors>
            <behavior name="AspNetAjaxBehavior">
                <enableWebScript />
                <webHttp />
            </behavior>
        </endpointBehaviors>
        <serviceBehaviors>
            <behavior name="defaultServiceBehavior">
                <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
                <serviceDebug includeExceptionDetailInFaults="true" />
                <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <services>
        <service name="xxx.Web.Services.RequestService" behaviorConfiguration="defaultServiceBehavior">
            <endpoint behaviorConfiguration="AspNetAjaxBehavior" binding="webHttpBinding"
             contract="xxx.Web.Services.IRequestService" bindingConfiguration="default">
            </endpoint>
            <endpoint address="mex" binding="mexHttpBinding" name="mex" contract="IMetadataExchange"></endpoint>
        </service>
    </services>
</system.serviceModel>

I have searched all over the internet with no luck. Any clues are greatly appreciated.

Answer

Rashack picture Rashack · Jun 22, 2009

So it seems like pretty common issue. The point is to remove mex from your bindings:

<endpoint address="mex" binding="mexHttpBinding" name="mex" contract="IMetadataExchange"></endpoint>

Alternativelly you enable Anonymous access in IIS and in your web.config you make sure anonymous access is denied.

Hope this will help some other soul. (I was 100% sure I tried it with mex removed. :-O )