While deploying a Silverlight application on IIS today, I learned several new things. Let me express my observations; This post is going to describe the security settings for WCF service in web.config
. To start, I assume that you are using either Windows
or Forms
authentication and denying all the anonymous users as described in a previous post.
First, make sure to remove the mexHttpBinding
endpoint as this requires you to enable anonymous access to the website in IIS. The mexHttpBinding
endpoint will look something like:
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
BasicHttpBinding
Typically, in your application, you will also be using some custom basicHttpBinding configuration for your WCF service endpoint, like this one:
<endpoint address="" binding="basicHttpBinding" contract="SilverlightApplication.Web.WCFService" bindingConfiguration="myCustomBasicHttpBinding" />
Using a custom binding allows you to configure buffers and quotas as described in this post. The definition of this custom binding will look something like:
<bindings> <basicHttpBinding> <binding name="myCustomBasicHttpBinding"> <security mode="TransportCredentialOnly"> <transport clientCredentialType="None"/> </security> </binding> </basicHttpBinding> </bindings>
The <transport clientCredentialType=”None”/> is the main point of interest here. If you are using Forms Authentication
, you need to allow anonymous access through IIS and set the clientCredentialType
to None
. If you want to run your application under Windows Authentication
, you should use clientCredentialType="xxxx"
where xxxx
is the corresponding IIS authentication type. So, to work with Integrated Windows/Basic/Digest/NTLM Authentication, the xxxx
should be replaced by Windows/Basic/Digest/Ntlm
respectively.
Update: Custom Binary Binding
Similar change is required for custom binary binding:
<customBinding> <binding name="myCustomBinaryBinding"> <binaryMessageEncoding > <readerQuotas ... /> </binaryMessageEncoding> <httpTransport authenticationScheme="Anonymous" ... /> </binding> </customBinding>
Again, the point of interest is the authenticationScheme
attribute in the httpTransport
element that needs to match the IIS authentication setting (e.g. Anonymous for Forms Authentication, Ntlm/Basic/Digest for Windows Authentication).
This way, the WCF service should work without any problems.