WCF Exception: Security settings for this service require ‘Anonymous’ Authentication but it is not enabled for the IIS application that hosts this service


Windows authentication is well suited for scenarios in which your users have domain credentials. Using basicHttpBinding with TransportCredentialOnly security mode option, users are authenticated by using Windows authentication.

Here is an article described how to implement this.

How to: Use basicHttpBinding with Windows Authentication and TransportCredentialOnly in WCF from Windows Forms

http://msdn.microsoft.com/en-us/library/ff648505.aspx

These two blogs written by well-known WCF experts described the same scenario as well.

Preventing Anonymous Access

http://blogs.msdn.com/b/drnick/archive/2007/03/23/preventing-anonymous-access.aspx

http://blogs.msdn.com/b/wenlong/archive/2006/05/18/600603.aspx

However, customer got follow error using .Net 4.0 even follow the exactly same steps.

[NotSupportedException: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.]

   System.ServiceModel.Activation.HostedAspNetEnvironment.ValidateHttpSettings(String virtualPath, Boolean isMetadataListener, Boolean usingDefaultSpnList, AuthenticationSchemes& supportedSchemes, ExtendedProtectionPolicy& extendedProtectionPolicy, String& realm) +194425

   System.ServiceModel.Channels.HttpChannelListener.ApplyHostedContext(String virtualPath, Boolean isMetadataListener) +104

   System.ServiceModel.Channels.HttpTransportBindingElement.BuildChannelListener(BindingContext context) +156

   System.ServiceModel.Channels.Binding.BuildChannelListener(Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters) +166

   System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession) +393

   System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result) +583

   System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost) +2020

   System.ServiceModel.ServiceHostBase.InitializeRuntime() +82

   System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +64

   System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +789

   System.ServiceModel.HostingManager.ActivateService(String normalizedVirtualPath) +287

   System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath) +1132

 
[ServiceActivationException: The service '/BasicHttpWithTransportCredentialOnly/Service.svc' cannot 
be activated due to an exception during compilation.  
The exception message is: Security settings for this service require 'Anonymous' Authentication 
but it is not enabled for the IIS application that hosts this service..]
   System.Runtime.AsyncResult.End(IAsyncResult result) +900320
   System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +189486
   System.Web.AsyncEventExecutionStep.OnAsyncEventCompletion(IAsyncResult ar) +107

It works after enabled anonymous authentication on IIS, however, it turns out that client was accessing the service anonymously instead of expected windows authentication.

We turned on WCF trace, and found WCF runtime failed to find the service defined in the web.config. Here is the screenshot of this error.

The problem is due to a typo in service name defined the web.config. When configure the service side, one key point is the service name. This attribute must be exactly same with the service defined in the .svc file. For example:

The SVC file defined like this:

<%@ ServiceHost Language="C#" Debug="true" Service="testService.Service" CodeBehind="~/App_Code/Service.cs" %>

The service name must be exactly same(case sensitive), otherwise, WCF failed load the service, and in turn, uses the default settings introduced by .Net 4.0. For basicHttpBinding, the default security mode is anonymous.

<services>

      <service name="testService.Service">

        <endpoint name="myService" address="" binding="basicHttpBinding" contract="testService.IService">

        </endpoint>

      </service>

    </services>

 

See you next time,

Wei from APGC DSI Team

Comments (2)

  1. Ido Flatow says:

    I encounter this problem a lot in the MSDN's WCF forum.

    After answering the same answer every couple of days ("check your service name in the configuration") I ended up writing about it in my blog for future reference:

    blogs.microsoft.co.il/…/wcf-configuration-using-the-correct-service-name.aspx

  2. Mike Gledhill says:

    Just to add, I had this error, as somehow, my web.config had been left without an authentication tag at all.   I could fix the issue by adding:

     <system.web>

       <authentication mode="Windows" />

       . . .

     </system.web>

Skip to main content