WCF - Windows authentication - Security settings require Anonymous

wcf security authorization
Rashack picture Rashack · Jun 22, 2009 · Viewed 74.7k times · Source

I am struggling hard with getting WCF service running on IIS on our server. After deployment I end up with an error message:

Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

I want to use Windows authentication and thus I have Anonymous access disabled. Also note that there is aspNetCompatibilityEnabled (if that makes any difference).

Here's my web.config:

<system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
    <bindings>
        <webHttpBinding>
            <binding name="default">
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows" proxyCredentialType="Windows"/>
                </security>
            </binding>
        </webHttpBinding>
    </bindings>
    <behaviors>
        <endpointBehaviors>
            <behavior name="AspNetAjaxBehavior">
                <enableWebScript />
                <webHttp />
            </behavior>
        </endpointBehaviors>
        <serviceBehaviors>
            <behavior name="defaultServiceBehavior">
                <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
                <serviceDebug includeExceptionDetailInFaults="true" />
                <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <services>
        <service name="xxx.Web.Services.RequestService" behaviorConfiguration="defaultServiceBehavior">
            <endpoint behaviorConfiguration="AspNetAjaxBehavior" binding="webHttpBinding"
             contract="xxx.Web.Services.IRequestService" bindingConfiguration="default">
            </endpoint>
            <endpoint address="mex" binding="mexHttpBinding" name="mex" contract="IMetadataExchange"></endpoint>
        </service>
    </services>
</system.serviceModel>

I have searched all over the internet with no luck. Any clues are greatly appreciated.

Answer

Rashack picture Rashack · Jun 22, 2009

So it seems like pretty common issue. The point is to remove mex from your bindings:

<endpoint address="mex" binding="mexHttpBinding" name="mex" contract="IMetadataExchange"></endpoint>

Alternativelly you enable Anonymous access in IIS and in your web.config you make sure anonymous access is denied.

Hope this will help some other soul. (I was 100% sure I tried it with mex removed. :-O )

Related questions

Best Practices for securing a REST API / web service

When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ? When building a SOAP API you have WS-Security as a guide and much literature exists on the topic. I …

Read More
The HTTP request was forbidden with client authentication scheme 'Anonymous'

This seams to be a common problem, and I have looked at all the answers here but none have helped. I am trying to get SSL to work with basichttpbinding and WCF service hosted on iis. I think the problem …

Read More
At least one security token in the message could not be validated

Server config: <?xml version="1.0"?> <configuration> <system.serviceModel> <behaviors> <serviceBehaviors> <behavior name="ServiceCredentialsBehavior"> <serviceCredentials> <serviceCertificate findValue="cn=cool" storeName="TrustedPeople" storeLocation="CurrentUser" /> </serviceCredentials> &…

Read More