Develop Reference

How to pass ASP.NET authentication to a WCF Service

I have a WCF service with basic authentication, which requires a username and password. I am using this service within a thick client and the username and password are stored in the application so can be easily passed.
I now want to use this service with an ASP.NET application. I have security enabled, and it is working fine. I want to know the best way of sending these credentials to my web service. The user name I can get easily using this.User.Identity.Name, but the password is more difficult. Of course I could store it in an encrypted session variable, but is this the right solution? Snippet of code below with the currently hard coded password shown:-
MyServiceClient client = new MyServiceClient();
client.ClientCredentials.UserName.UserName = this.User.Identity.Name;
client.ClientCredentials.UserName.Password = "Password";
BTW: This is my first question after many years of finding answers here, so please go easy on me :-)

To enable the authentication service
If you do not already have an ASP.NET Web application, create one.
Add a service file (.svc) to the Web site that contains the following directive to reference the AuthenticationService class, as shown in the following example:
VB
<%# ServiceHost
Language="VB"
Service="System.Web.ApplicationServices.AuthenticationService"
Factory="System.Web.ApplicationServices.ApplicationServicesHostFactory" %>
C#
<%# ServiceHost
Language="C#"
Service="System.Web.ApplicationServices.AuthenticationService"
Factory="System.Web.ApplicationServices.ApplicationServicesHostFactory" %>
Make the following configuration settings in the Web.config file to configure the service and to require SSL:
Enable the authentication service in the authenticationService element.
Define the endpoint contract in the services element and the service behavior in the behaviors element. Include the bindingNamespace property in the endpoint contract as shown in the following example in order to prevent an exception in some proxy generation tools. For more information about WCF endpoints, see Windows Communication Foundation Endpoints.
Configure the serviceHostingEnvironment element for ASP.NET compatibility. For more information about hosting WCF services, see WCF Services and ASP.NET.
Create a binding in the bindings element that requires SSL. For more information about transport security in WCF, see Transport Security.
The following example shows the system.serviceModel element from a Web.config file that shows the configuration settings described in the previous list.
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true"
requireSSL = "true"/>
</webServices>
</scripting>
</system.web.extensions>
<system.serviceModel>
<services>
<service name="System.Web.ApplicationServices.AuthenticationService"
behaviorConfiguration="AuthenticationServiceTypeBehaviors">
<endpoint contract=
"System.Web.ApplicationServices.AuthenticationService"
binding="basicHttpBinding"
bindingConfiguration="userHttps"
bindingNamespace="http://asp.net/ApplicationServices/v200"/>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="userHttps">
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="AuthenticationServiceTypeBehaviors">
<serviceMetadata httpGetEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment
aspNetCompatibilityEnabled="true"/>
</system.serviceModel>
To configure forms authentication
In the Web.config file, configure the Web application to use forms authentication.
The following example shows the authentication element in a Web.config file that is configured to use forms authentication.
<authentication mode="Forms">
<forms cookieless="UseCookies" />
</authentication>
The authentication service requires cookies. Therefore, in the authentication element, set the cookieless attribute to "UseCookies". For more information, see ASP.NET Forms Authentication Overview.
Security
If you are passing sensitive user data such as authentication credentials, always access the authentication service over the secure sockets layer (SSL, by using HTTPS protocol). For information about how to set up SSL, see Configuring Secure Sockets Layer (IIS 6.0 Operations Guide).

I set up my SDL Tridion 2011 instance to run with multiple host headers and now the Core Service doesn't work. How do I fix it?

I recently configured my SDL Tridion 2011 CME to use multiple host headers. To enable the CME to load I set WCF.RedirectTo in the appropriate web.config. However, my Core Service no longer works. I get the following error:
WebHost failed to process a request.
Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/63835064
Exception: System.ServiceModel.ServiceActivationException: The service '/webservices/CoreService.svc' cannot be activated due to an exception during compilation. The exception message is: This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. If your service is being hosted in IIS you can fix the problem by setting 'system.serviceModel/serviceHostingEnvironment/multipleSiteBindingsEnabled' to true or specifying 'system.serviceModel/serviceHostingEnvironment/baseAddressPrefixFilters'.
Parameter name: item. ---> System.ArgumentException: This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. If your service is being hosted in IIS you can fix the problem by setting 'system.serviceModel/serviceHostingEnvironment/multipleSiteBindingsEnabled' to true or specifying 'system.serviceModel/serviceHostingEnvironment/baseAddressPrefixFilters'.
How do I fix this?

You can enabled the multiple site bindings by editing the web.config for the Tridion UI and the Core Service:
Open the web.config in [Tridion Install Folder]\web\WebUI\WebRoot\
Find the serviceHostingEnvironment section Add a new attribute to that node for multipleSiteBindingsEnabled="true"
This should then look like <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true">
Save the file
Open the web.config in [Tridion Install Folder]\webservices\
Find the serviceHostingEnvironment section
Add a new attribute to that node for multipleSiteBindingsEnabled="true" This should then look like <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true">
Save the file
If you don't want to enable it for all URL's you can enable it for specific ones like:
<system.serviceModel>
<serviceHostingEnvironment>
<baseAddressPrefixFilters>
<add prefix="http://test1.tridion.com"/>
<add prefix="http://test2.tridion.com"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
</system.serviceModel>

Hosting WCF Web Serveic on Windows Server 2003

Getting the following err...
Server Error in '/' Application. IIS
specified authentication schemes
'IntegratedWindowsAuthentication,
Anonymous', but the binding only
supports specification of exactly one
authentication scheme. Valid
authentication schemes are Digest,
Negotiate, NTLM, Basic, or Anonymous.
Change the IIS settings so that only a
single authentication scheme is used.
Description: An unhandled exception
occurred during the execution of the
current web request. Please review the
stack trace for more information about
the error and where it originated in
the code.
Exception Details:
System.InvalidOperationException: IIS
specified authentication schemes
'IntegratedWindowsAuthentication,
Anonymous', but the binding only
supports specification of exactly one
authentication scheme. Valid
authentication schemes are Digest,
Negotiate, NTLM, Basic, or Anonymous.
Change the IIS settings so that only a
single authentication scheme is used.
Source Error:
An unhandled exception was generated
during the execution of the current
web request. Information regarding the
origin and location of the exception
can be identified using the exception
stack trace below.
Stack Trace:
[InvalidOperationException: IIS
specified authentication schemes
'IntegratedWindowsAuthentication,
Anonymous', but the binding only
supports specification of exactly one
authentication scheme. Valid
authentication schemes are Digest,
Negotiate, NTLM, Basic, or Anonymous.
Change the IIS settings so that only a
single authentication scheme is used.]
System.ServiceModel.Web.WebServiceHost.SetBindingCredentialBasedOnHostedEnvironment(ServiceEndpoint
serviceEndpoint, AuthenticationSchemes
supportedSchemes) +446264
System.ServiceModel.Web.WebServiceHost.AddAutomaticWebHttpBindingEndpoints(ServiceHost
host, IDictionary`2
implementedContracts, String
multipleContractsErrorMessage) +709
System.ServiceModel.Web.WebServiceHost.OnOpening()
+203 Microsoft.ServiceModel.Web.WebServiceHost2.OnOpening()
in
e:\bt\3781\Microsoft.ServiceModel.Web\Microsoft.ServiceModel.Web\WebServiceHost2.cs:69
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout) +229
System.ServiceModel.HostingManager.ActivateService(String
normalizedVirtualPath) +121
System.ServiceModel.HostingManager.EnsureServiceAvailable(String
normalizedVirtualPath) +479
[ServiceActivationException: The
service '/Service.svc' cannot be
activated due to an exception during
compilation. The exception message
is: IIS specified authentication
schemes
'IntegratedWindowsAuthentication,
Anonymous', but the binding only
supports specification of exactly one
authentication scheme. Valid
authentication schemes are Digest,
Negotiate, NTLM, Basic, or Anonymous.
Change the IIS settings so that only a
single authentication scheme is
used..]
System.ServiceModel.AsyncResult.End(IAsyncResult
result) +11599786
System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult
result) +194
System.ServiceModel.Activation.HostedHttpRequestAsyncResult.ExecuteSynchronous(HttpApplication
context, Boolean flowContext) +176
System.ServiceModel.Activation.HttpModule.ProcessRequest(Object
sender, EventArgs e) +278
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+68 System.Web.HttpApplication.ExecuteStep(IExecutionStep
step, Boolean& completedSynchronously)
+75
Version Information: Microsoft .NET
Framework Version:2.0.50727.3615;
ASP.NET Version:2.0.50727.3618

According to your error above, you have IIS authentication configured on your Windows 2003 machine to allow two different types of authentication (integrated & anonymous). Change it to one type of authentication - the one that matches your WCF configuration. I'm guessing you only want anonymous (and not integrated) enabled in the IIS configuration, but that's your design choice..

Windows Authentication in IIS 7.5 Fails with Trust Relationship Exception

I have an ASP.Net 2.0 application that uses integrated Windows Authentication to authenticate/authorize users. The application works fine on Windows XP/IIS 5.1, Windows Server 2008/IIS 7, and Windows Vista/IIS 7. When I try to run this application on Windows 7/IIS 7.5, I get the following exception: The trust relationship between this workstation and the primary domain failed.
The stack trace is as follows:
[SystemException: The trust relationship between this workstation and the primary domain failed.
]
System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed) +1085
System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) +46
System.Security.Principal.WindowsPrincipal.IsInRole(String role) +128
System.Web.Configuration.AuthorizationRule.IsTheUserInAnyRole(StringCollection roles, IPrincipal principal) +229
System.Web.Configuration.AuthorizationRule.IsUserAllowed(IPrincipal user, String verb) +354
System.Web.Configuration.AuthorizationRuleCollection.IsUserAllowed(IPrincipal user, String verb) +245
System.Web.Security.UrlAuthorizationModule.OnEnter(Object source, EventArgs eventArgs) +11153304
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
The web.config file contains the following information related to authentication/authorization:
<authentication mode="Windows" />
<authorization&gt
<!--Deny anonymous users--&gt
<deny users="?"/&gt
<allow roles="domain\GroupWithAccess"/&gt
<deny users="*"/&gt
</authorization&gt
Most of the results I found when researching this error state that the problem is related to a broken computer account in the domain and list the solution as re-joining the domain. I've done this but the error still appears. "Normal" domain operations work fine (accessing UNC shares, logging in, etc.).
This application runs in the Classic .Net AppPool for compatibility reasons. I tried changing the identity of the AppPool to "NetworkService" but the error still persists.
Any help is greatly appreciated.

I finally found an answer to this after experiencing the same problem on Windows Server 2008 R2. From this article:
Disable the following policies on the Windows 2008 R2 server, run gpupdate /force and restart the server.
"Computer Configuration\Windows Setting\Security Settings\Local Policies\Security Option"
Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally encrypt secure channel data (When possible)
Domain Member: Digitally sign secure channel data (When possible)
I can confirm that this fixed the problem on Windows 7 as well.

I'm adding this for future reference:
"Error 1789 when you use the LookupAccountName function on a computer that is running Windows 7 or Windows Server 2008 R2"
http://support.microsoft.com/kb/976494
That might be a solution to the problem as well.

Public WCF service requires authentication, despite no security being specified

I have published a WCF service (MyService.svc) on an ASP.NET site, in a sub-folder called WebServices.
When running on the local ASP.NET web server it works fine. When published to an IIS-run site and I try to access, for example, /WebServices/MyService.svc/jsdebug, I get 401 Unauthorized. The rest of the site works fine.
Does anyone have any idea why?
Here are the contents of MyService.svc:
<%#ServiceHost
Language="C#"
Debug="true"
Service="MyApp.Core.MyService, MyApp.Core"
Factory="System.ServiceModel.Activation.WebScriptServiceHostFactory"
%>
MyApp.Core.MyService is a class implementing IMyService (which has the attribute ServiceContract and method declarations with the attribute OperationContract).

By default, a WCF service will do Windows authentication unless configured otherwise. I think the following should do the trick:
<bindings>
<wsHttpBinding>
<binding name="wsHttp">
<security mode="None"/>
</binding>
</wsHttpBinding>
</bindings>
..and configure your endpoint to use this binding config.

There are 3 possible places where the call is getting blocked:
The IIS Settings, check that anonymous authentication is enabled
NTFS File access settings, check that the user that is the identity of the application pool has read access.
the web.config, check that authentication mode is None.
All of the above are before it gets to what could be blocking it in the WCF configuration. But from your comment to blowdart it looks like you have not configured WCF security.
Check also your IIS log for 401 errors. And check if this post is relevant.

And what does the web.config say? Do you have authentication there, either on the service itself, or the directory? Is transport security on or off? Message security?
The svc files do not configure security, that's part of the config file