WCF Exception: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service

Windows authentication is well suited for scenarios in which your users have domain credentials. Using basicHttpBinding with TransportCredentialOnly security mode option, users are authenticated by using Windows authentication.

Here is an article described how to implement this.

How to: Use basicHttpBinding with Windows Authentication and TransportCredentialOnly in WCF from Windows Forms

https://msdn.microsoft.com/en-us/library/ff648505.aspx

These two blogs written by well-known WCF experts described the same scenario as well.

Preventing Anonymous Access

https://blogs.msdn.com/b/drnick/archive/2007/03/23/preventing-anonymous-access.aspx

https://blogs.msdn.com/b/wenlong/archive/2006/05/18/600603.aspx

However, customer got follow error using .Net 4.0 even follow the exactly same steps.

[NotSupportedException: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.]

   System.ServiceModel.Activation.HostedAspNetEnvironment.ValidateHttpSettings(String virtualPath, Boolean isMetadataListener, Boolean usingDefaultSpnList, AuthenticationSchemes& supportedSchemes, ExtendedProtectionPolicy& extendedProtectionPolicy, String& realm) +194425

   System.ServiceModel.Channels.HttpChannelListener.ApplyHostedContext(String virtualPath, Boolean isMetadataListener) +104

   System.ServiceModel.Channels.HttpTransportBindingElement.BuildChannelListener(BindingContext context) +156

   System.ServiceModel.Channels.Binding.BuildChannelListener(Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters) +166

   System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession) +393

   System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result) +583

   System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost) +2020

   System.ServiceModel.ServiceHostBase.InitializeRuntime() +82

   System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +64

   System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +789

   System.ServiceModel.HostingManager.ActivateService(String normalizedVirtualPath) +287

   System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath) +1132

  
 
 [ServiceActivationException: The service '/BasicHttpWithTransportCredentialOnly/Service.svc' cannot 
 be activated due to an exception during compilation.  
 The exception message is: Security settings for this service require 'Anonymous' Authentication 
 but it is not enabled for the IIS application that hosts this service..] 
    System.Runtime.AsyncResult.End(IAsyncResult result) +900320
    System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +189486
    System.Web.AsyncEventExecutionStep.OnAsyncEventCompletion(IAsyncResult ar) +107
 

It works after enabled anonymous authentication on IIS, however, it turns out that client was accessing the service anonymously instead of expected windows authentication.

We turned on WCF trace, and found WCF runtime failed to find the service defined in the web.config. Here is the screenshot of this error.

The problem is due to a typo in service name defined the web.config. When configure the service side, one key point is the service name. This attribute must be exactly same with the service defined in the .svc file. For example:

The SVC file defined like this:

<%@ ServiceHost Language="C#" Debug="true" Service="testService.Service" CodeBehind="~/App_Code/Service.cs" %>

The service name must be exactly same(case sensitive), otherwise, WCF failed load the service, and in turn, uses the default settings introduced by .Net 4.0. For basicHttpBinding, the default security mode is anonymous.

<services>

      <service name="testService.Service">

        <endpoint name="myService" address="" binding="basicHttpBinding" contract="testService.IService">

        </endpoint>

      </service>

    </services>

 

See you next time,

Wei from APGC DSI Team