WCF - Windows authentication - Security settings require Anonymous

Question

I am struggling hard with getting WCF service running on IIS on our server. After deployment I end up with an error message:

Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

I want to use Windows authentication and thus I have Anonymous access disabled. Also note that there is aspNetCompatibilityEnabled (if that makes any difference).

Here's my web.config:

<system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
    <bindings>
        <webHttpBinding>
            <binding name="default">
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows" proxyCredentialType="Windows"/>
                </security>
            </binding>
        </webHttpBinding>
    </bindings>
    <behaviors>
        <endpointBehaviors>
            <behavior name="AspNetAjaxBehavior">
                <enableWebScript />
                <webHttp />
            </behavior>
        </endpointBehaviors>
        <serviceBehaviors>
            <behavior name="defaultServiceBehavior">
                <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
                <serviceDebug includeExceptionDetailInFaults="true" />
                <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <services>
        <service name="xxx.Web.Services.RequestService" behaviorConfiguration="defaultServiceBehavior">
            <endpoint behaviorConfiguration="AspNetAjaxBehavior" binding="webHttpBinding"
             contract="xxx.Web.Services.IRequestService" bindingConfiguration="default">
            </endpoint>
            <endpoint address="mex" binding="mexHttpBinding" name="mex" contract="IMetadataExchange"></endpoint>
        </service>
    </services>
</system.serviceModel>

I have searched all over the internet with no luck. Any clues are greatly appreciated.

Answer 1

So it seems like pretty common issue. The point is to remove mex from your bindings:

<endpoint address="mex" binding="mexHttpBinding" name="mex" contract="IMetadataExchange"></endpoint>

Alternativelly you enable Anonymous access in IIS and in your web.config you make sure anonymous access is denied.

Hope this will help some other soul. (I was 100% sure I tried it with mex removed. :-O )

Answer 2

You may check this one. I managed to make it work as expected.

<configuration>
  ...
  <system.serviceModel>
    ...
    <bindings>
      <basicHttpBinding>
        <binding>
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    ...
  </system.serviceModel>
  ...
</configuration>

Answer 3

just use your service bindings for mex too.

So change your current config :

<endpoint address="mex" binding="mexHttpBinding" name="mex" contract="IMetadataExchange"></endpoint>

to

<endpoint address="mex" binding="webHttpBinding" bindingConfiguration="default" name="mex" contract="IMetadataExchange"></endpoint>

That should solve the problem

Answer 4

Anonymous authentication can, and in some cases must be enabled for the service but not for the site.

So check that your site's "root" authentication has only Windows Authentication enabled. Then expand your site, select 'service' folder and make sure that your service has Windows and Anonymous Authentication enabled.

I had identical environment where this worked, only difference in these environments was the service's authentication. Problem in my case was not caused be selected providers (Ntlm or Negotiate) but the authentication settings for site and service.

At least I had identical error message with basic MSSQL Master Data Services web site & service and this was the solution. I did get the error when running just the service but the site worked almost ok, MDS Explorer did not work because service's authentication settings were wrong at first. Cause of this miss-configuration might be a bug in MDS Configuration Manager when creating new MDS site?

So in my case the problem was not to be fixed by doing any special editing to the web.config nor the ApplicationHost.config files, I didn't do any editing the config files. Just selected the correct authentication settings for the web site and it's service in IIS manager. I am not sure that this is the case in here, but maybe worth to try?

Answer 5

It worked for me when I remove 'mex' endpoint and also set clientCredentialType = 'Ntlm' I was hosting my WCF inside SharePoint.

Answer 6

Yes, it looks like you need to remove the mex endpoint completely. Setting

<serviceMetadata httpGetEnabled="false"/>

alone did not work. Thanks!

Answer 7

Additional solution:

You just have to make sure that the Service name and contract are correct.

Hope it helps in some way.

Answer 8

It appears this MEX binding issue was fixed in .NET 4.0. Changing our server's App Pool .NET CLR version from 2.0 to 4.0 cleared up the issue.