How to configure WCF service deployed on IIS and remote client to authenticate from remote client PC?

StackOverflow https://stackoverflow.com/questions/11007724

Question

I'm a noob; please help me understand this authentication config / bindings stuff that confuses me so much.

I have a C# WCF service deployed on IIS 7 on Win 2008. My client is a Windows Forms C# app. My client works just fine when it's running from the same server where the WCF service is running, but when I try to run my client from a remote PC, I get the following exception...

System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service.

I've read a few posts about these issues, and know that my problem is because my service and client are configured to use Windows authentication, which I guess is the default when using Visual Studio to create the service, and to add the service reference to the client. Below is my config before I made any changes, when it was still set to Windows (with irrelevant bits removed)...

Web.Config

<system.web>
    ...
    <authentication mode="Windows"/>
    ...

<system.serviceModel>
    <services>
        <service name="MCLaborServer.LaborService" behaviorConfiguration="MCLaborServer.LaborServiceBehavior">
            <!-- Service Endpoints -->
            <endpoint address="" binding="wsHttpBinding" contract="MCLaborServer.ILaborService">
                <!-- 
          Upon deployment, the following identity element should be removed or replaced to reflect the 
          identity under which the deployed service runs.  If removed, WCF will infer an appropriate identity 
          automatically.
      -->
                <identity>
                    <dns value="localhost"/>
                </identity>
            </endpoint>
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
        </service>
    </services>
    <behaviors>
        <serviceBehaviors>
            <behavior name="MCLaborServer.LaborServiceBehavior">
                <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
                <serviceMetadata httpGetEnabled="true"/>
                <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
                <serviceDebug includeExceptionDetailInFaults="false"/>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

And from the App.Config on the client...

<system.serviceModel>
    <bindings>
        <wsHttpBinding>
            <binding name="WSHttpBinding_ILaborService" closeTimeout="00:01:00"
                openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
                allowCookies="false">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <reliableSession ordered="true" inactivityTimeout="00:10:00"
                    enabled="false" />
                <security mode="Message">
                    <transport clientCredentialType="Windows" proxyCredentialType="None"
                        realm="" />
                    <message clientCredentialType="Windows" negotiateServiceCredential="true"
                        algorithmSuite="Default" establishSecurityContext="true" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://<myDnsNameGoesHere>/MCLaborServer/LaborService.svc"
            binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ILaborService"
            contract="LaborService.ILaborService" name="WSHttpBinding_ILaborService">
            <identity>
                <dns value="localhost" />
            </identity>
        </endpoint>
    </client>
</system.serviceModel>

So, first I changed "authentication mode="None"" in the web.config, and set "security mode="None"" in the client's app.config, and set both the clientCredentialType="None" for message and transport. I also commented out the "identity" sections in both the web.config and client's app.config. That broke it completely though and now the client running locally won't even work; it gives a "The remote server returned an unexpected response: (405) Method Not Allowed" error.

So what can I do to turn security off so that I can connect using a remote client? I do have anonymous access enabled by the way in IIS for my application.

I'd also like to ask, what's the best practice way to configure this so I can make webservice calls on a remote client over the internet in a semi-secure fashion without using SSL or doing anything that would cost money. I'm not really that concerned about security of the data because it's not really sensitive data, but still I'd like to make sure the server isn't open to attacks.

Also, I read that I can use Windows authentication, and then explicitly specify credentials in code, like below. If I do that, will it still work remotely? And if so, does that end up making my Windows credentials for the server be sent over the wire in an insecure fashion, so then I'd be open to getting my credentials hijacked?

SomeService.ServiceClient someService = new SomeService.ServiceClient(); 
someService.ClientCredentials.Windows.ClientCredential.UserName="windowsuseraccountname" 
someService.ClientCredentials.Windows.ClientCredential.Password="windowsuseraccountpassword"

I've read through the following posts / links, but still am confused. Thanks for any help!

WCF error: The caller was not authenticated by the service

How to fix "The caller was not authenticated by the service"?

http://msdn.microsoft.com/en-us/library/aa291347(v=vs.71).aspx

http://www.devx.com/codemag/Article/33342/1763/page/2

Was it helpful?

Solution 2

I fixed this by changing binding to basicHttpBinding, changing authentication to Forms and turning security off.

OTHER TIPS

We ran into similar issues when setting up low security WCF services that ran across domains. One of the biggest problems (if you can call it that) is that WCF is configured to be very secure by default. Because our application was entirely within a secure network, we did not want to have to bother with a lot of complicated certificates. Our workaround was to create a custom binding that allowed us to use username/password authentication for our services without any encryption. We based our implementation off of Yaron Naveh's Clear Username Binding. I would recommend that you have a look at that (and at his blog post introducing it).

Some good resources for learning about WCF Bindings and Security:

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top