wcfsslwcf-bindingwcf-securitybasichttpbinding

How can I use WCF with the basichttpbinding only , SSL and Basic Authentication in IIS?


Is it possible to setup a WCF service with SSL and Basic Authentication in IIS using only the BasicHttpBinding-binding?
(I can’t use the wsHttpBinding-binding)

The site is hosted on IIS 7, with the following authentication set up:


Service Config:

<services>
  <service name="NameSpace.SomeService">
    <host>
      <baseAddresses>
        <add baseAddress="https://hostname/SomeService/" />
      </baseAddresses>

    </host>
    <!-- Service Endpoints -->
    <endpoint address="" binding="basicHttpBinding"
              bindingNamespace="http://hostname/SomeMethodName/1"
              contract="NameSpace.ISomeInterfaceService"
              name="Default"
                      />
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior>
      <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
      <serviceMetadata httpsGetEnabled="true"/>
      <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
      <serviceDebug includeExceptionDetailInFaults="false"/>
      <exceptionShielding/>
    </behavior>
  </serviceBehaviors>
</behaviors>

I tried 2 types of bindings with two different errors:

Does anyone know how to configure this correctly? (if is it possible?)


Solution

  • After some digging and asking some questions to a few colleagues, we finally solved the problem.

    Important to understand is there are 2 aspects of security in this case. The IIS security and the WCF security.

    IIS security: Enable SSL & enable Basic Authentication. Disable Anonymous Authentication. (Of course, create a windows account/group and set the permissions on your application in IIS.)

    WCF security: Because the binding is only a BasicHttpBinding, the service doesn't require to valid anything. IIS is responsible for this.

    The binding configuration of the service:

    <bindings>
      <basicHttpBinding>
         <binding>
            <security mode="Transport">
               <transport clientCredentialType="Basic" />
            </security>
         </binding>
      </basicHttpBinding>
    

    And finally, to resolve the first error, we deleted the mex Endpoint. This endpoint requires a HTTP binding.

    Deleted:

    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>