Configuring IIS for Transport Security

  • Article

I'm hosting a WCF application in IIS that uses transport security. How do I configure the security settings for my Virtual Directory (VDir)?

The general model that we try to promote in WCF is that if a setting is shared between multiple places, the value of the setting has to match between all of those places. For instance, if you're sharing a TCP socket between multiple users, then the socket options that each user specifies have to match. This is probably the safest model for shared resources. Another model would be that the first one to specify the settings wins but that introduces ambiguity. Being the first one to do something is dependent on both timing and implementation-specific details like how granularly we chose to share resources. These aren't really things you want to rely on if your goal is to build a reliable application. There are cases where we are lax in enforcing that shared settings policy in order to be more forgiving of common programming mistakes. An example is that after we establish a TCP connection to a particular address, it doesn't make sense to send a message over that connection to some other address. There isn't any way to redirect the TCP connection on a per-message basis. However, we don't filter on the addressing headers of messages going through that channel because we're going to strip the addressing information out anyway before delivery. The likely reason that those headers are there is that you accidently copied them from another message.

That was a long digression. In this case, the security settings in IIS have to match the security settings you specify in WCF. If your binding does not specify the use of HTTP authentication, then your VDir needs to be configured to accept anonymous authentication. If your binding specifies the use of Windows credentials, then your VDir needs to be configured to accept integrated authentication. When the settings don't match, you're generally going to get a poor experience. Make sure that the person deploying your application to the web server knows which settings they'll need to configure.

Next time: Asymmetry Between Listeners and Factories