WCF Secure Services & Message Security Modes

Recent Blogs	<< Back
NHibernate configuration issues and ASP.NET problems 9/6/2008 .NET Entity Framework vs other ORM (LINQ-to-SQL or nHibernate) 9/10/2008 WCF Binding: BasicHttpBinding vs WsHttpBinding 9/11/2008
More...

 

WCF supports three types of Security. They are,

• Transport Security
• Mixed-Mode Security
• Message Security

Let's discuss the various Security Modes below. 

Transport Security is applied at the transport byte stream below the message layer. The message does not have a Security header and the message does not carry any user authentication data. It is the least flexible in terms of WS-Security usage and it is highly dependent on the transport. It is the fastest in terms of performance.
<security mode="Transport">

Message Security is applied at the message layer and it is transport independent. It is a point to point security model with maximum flexibility in terms of having the message routed over different transports. WS-Security defines different ways to secure a message and the tokens that can be used. Message Security provides the maximum flexibility in terms of that as well. Message Security is slowest in terms of performance.
<security mode="Message">

Mixed-Mode Security is a hybrid between Transport and Message Security. The transport is encrypted and the message contains some user authentication tokens. If the token can provide a key (i.e., it is not a username/password token) then it will sign the timestamp in the security header. If the client token is a Asymmetric token then the 'To' header will be signed as well. It is faster than Message Security.
<security mode="TransportWithMessageCredential">

This discusses the Common Security Scenarios of Windows Communication Foundation:
http://msdn.microsoft.com/en-us/library/ms730301.aspx

 

Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

I have seen people struggling while configuring integrated windows authentication for their IIS hosted WCF service and are getting above exception. There are two settings required to make this work.

·         First enable Integrated Windows Authentication on IIS

·         Set the clientCredentialType to Windows

Here is a sample binding to enable windows authentication in IIS.

<bindings>

  <basicHttpBinding>

    <binding name="basicHttpBinding IMyService">

      <security mode="TransportCredentialOnly">

        <transport clientCredentialType="Windows"/>

      </security>

    </binding>

  </basicHttpBinding>

</bindings>

However even after making these two changes you might still be getting the exception and the prime reason is that one of the service endpoints (most likely the MEX endpoint) still requires anonymous access while it is disabled in IIS.

Why mostly MEX endpoint?

Because the default settings of mexHttpBinding allows anonymous access by setting clientCredentialsType to None. So if you have a mex endpoint and you are using out of the box mexHttpBinding you will be getting the above exception.

A simple fix is to use the same secured binding, in this case basicHttpBinding IMyService, for the mex endpoint as well or create a new binding and disable the anonymous access for mex endpoint as well.

Great Microsoft Article on Securing Services

http://msdn.microsoft.com/en-us/library/ms734769.aspx

Monday, September 15, 2008 3:46:06 PM