Wcf – Integrated Windows Authentication in WCF on IIS 6.0

authenticationiiswcf

I need to implement Integrated Windows Authentication for a WCF service hosted on IIS 6.0 (Windows Server 2003) without certificates. The requirement is to simply authenticate Windows Credentials of users within a particular Active Directory group when they hit the service. The Framework version being used is 3.0.

WCF Configuration:

The following is the "bindings" portion of the web.config file for the service:

<bindings>
<basicHttpBinding>
<binding name="Binding1">
    <security mode="TransportCredentialOnly">
    <transport clientCredentialType="Windows" />
    </security>
</binding>
</basicHttpBinding>

</bindings>

There is no "mex" endpoint.

Even though the virtual directory's as well as the .svc file's security settings have "Integrated Windows Authentication" selected in IIS, the following error occurs when the .svc file is navigated to:

Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service.

The following are the other details of the hosting of the service:

  • The service runs under a separate App Pool
  • The App Pool is running under a separate privileged account configured under the "Identity" tab of the App Pool.

I have seen numerous other questions along these lines, but none of the fixes actually rectifies this problem. Your inputs would be greatly appreciated.

Best Answer

After some digging, I finally discovered that this works if you change "Windows" to "Ntlm". I never could get it to work with Kerberos but you mention not wanting to use certificates anyway.

If you're still having trouble, you might look at what's in the IIS metabase for the site in question under NTAuthenticationProviders. If you want to use only Ntlm, you'll need to set that string to just "NTLM", and you'll need to make sure it says "Ntlm" not "Windows" in your transport clientCredentialType or you'll get the exception you quoted in your original post.

Conversely, if anyone is experiencing this error and they WANT to use Kerberos certificates if available, they should check to see if the metabase NTAuthenticationProviders says "Negotiate,NTLM". This is the default, but is mysteriously different for me on a VM on which I was trying to run a WCF service today (which ultimately brought me to this thread!)