While deploying a Silverlight application on IIS today, I learned several new things. Let me express my observations; This post is going to describe the security settings for WCF service in
web.config. To start, I assume that you are using either
Forms authentication and denying all the anonymous users as described in a previous post.
First, make sure to remove the
mexHttpBinding endpoint as this requires you to enable anonymous access to the website in IIS. The
mexHttpBinding endpoint will look something like:
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
Typically, in your application, you will also be using some custom basicHttpBinding configuration for your WCF service endpoint, like this one:
<endpoint address="" binding="basicHttpBinding" contract="SilverlightApplication.Web.WCFService" bindingConfiguration="myCustomBasicHttpBinding" />
Using a custom binding allows you to configure buffers and quotas as described in this post. The definition of this custom binding will look something like:
<bindings> <basicHttpBinding> <binding name="myCustomBasicHttpBinding"> <security mode="TransportCredentialOnly"> <transport clientCredentialType="None"/> </security> </binding> </basicHttpBinding> </bindings>
The <transport clientCredentialType=”None”/> is the main point of interest here. If you are using
Forms Authentication, you need to allow anonymous access through IIS and set the
None. If you want to run your application under
Windows Authentication, you should use
xxxx is the corresponding IIS authentication type. So, to work with Integrated Windows/Basic/Digest/NTLM Authentication, the
xxxx should be replaced by
Update: Custom Binary Binding
Similar change is required for custom binary binding:
<customBinding> <binding name="myCustomBinaryBinding"> <binaryMessageEncoding > <readerQuotas ... /> </binaryMessageEncoding> <httpTransport authenticationScheme="Anonymous" ... /> </binding> </customBinding>
Again, the point of interest is the
authenticationScheme attribute in the
httpTransport element that needs to match the IIS authentication setting (e.g. Anonymous for Forms Authentication, Ntlm/Basic/Digest for Windows Authentication).
This way, the WCF service should work without any problems.