I am creating a web service (WCF) that can be added as a service reference to an existing ASP.NET website. I've created the web service as a website project that uses the service as a DLL extension following this tutorial: http://www.codeproject.com/Articles/531332/Implementing-a-Basic-Hello-World-WCF-Service-v
The web service is going to be hosted on an intranet web server that requires the use of HTTPS. I can browse to the web service and get the wsdl via web browser, but when I try to run any of the methods from the service, I get:
The remote server returned an error: (401) Unauthorized.
I guess I am just confused on how to properly setup the web service on IIS so that it uses Windows authentication. Also I am not sure once I have it using Windows Authentication, where do I setup the access restrictions?
Here's what my web.config looks like for the web service so far:
<?xml version="1.0"?> <!-- root node --> <configuration> <!-- Default configuration from Website template --> <system.web> <compilation debug="true" targetFramework="4.5" /> <httpRuntime targetFramework="4.5" /> </system.web> <!-- Configuration code for WCF Service --> <system.serviceModel> <!-- specify hosting environment --> <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"> <!-- Specify service name and its relative address. Allows you to define virtual service activation settings that map WCF Service types. Makes it possible to activate services hosted in WAS/IIS without a .svc file. --> <serviceActivations> <add factory="System.ServiceModel.Activation.ServiceHostFactory" relativeAddress="~/ADUserMaintenanceService.svc" service="ADUserMaintenanceService.ADUserMaintenanceService"/> </serviceActivations> </serviceHostingEnvironment> <!--BINDINGS--> <bindings> <basicHttpsBinding> <binding name="BasicHttpsBindingConfig"> <security mode="Transport"> <transport clientCredentialType="Windows" proxyCredentialType="Windows" /> </security> </binding> <binding name="mexHttpBinding"> <security mode="Transport"> <transport clientCredentialType="Windows" proxyCredentialType="Windows" /> </security> </binding> </basicHttpsBinding> </bindings> <!--BEHAVIORS--> <behaviors> <!--SERVICE BEHAVIORS--> <serviceBehaviors> <behavior name="ServiceBehaviorConfig"> <!-- Enables service metadata exchange for the service. Essential to let other applications locate the metadata of this service via HTTP. Without the metadata, client applications can't generate the proxy and thus won't be able to use the service. --> <serviceMetadata httpsGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="true" /> </behavior> </serviceBehaviors> <!--ENDPOINT BEHAVIORS--> <endpointBehaviors> <behavior name="EndpointBehaviorConfig"> </behavior> </endpointBehaviors> </behaviors> <!--SERVICES--> <services> <service name="ADUserMaintenanceService.ADUserMaintenanceService" behaviorConfiguration="ServiceBehaviorConfig"> <endpoint address="" binding="basicHttpsBinding" contract="ADUserMaintenanceService.IADUserMaintenanceService" name="BasicHttpsEndpoint" behaviorConfiguration="EndpointBehaviorConfig" bindingConfiguration="BasicHttpsBindingConfig" /> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /> </service> </services> </system.serviceModel> </configuration>
And here is the web.config for the asp.net website after I've added the service as a reference (automatic from Visual Studio):
<system.serviceModel> <bindings> <basicHttpBinding> <binding name="BasicHttpsEndpoint"> <security mode="Transport"> <transport clientCredentialType="Windows"/> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="https://mydomain.com/ADUserMaintenanceService.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpsEndpoint" contract="ADUserMaintenance.IADUserMaintenanceService" name="BasicHttpsEndpoint"/> </client> </system.serviceModel>
In IIS, the web service has the following authentication options set:
Anonymous Authentication: Enabled ASP.NET Impersonation: Enabled Windows Authentication: Enabled
the rest are disabled.
The asp.net website I am hooking into is currently using only Windows Authentication and the App Pool is running as a proxy account. The app pool for the web service is just using application pool identity (default).
This security stuff is way over my head, the code works great, but configuring IIS is taking up 10x as long as coding this service did. Any help would be appreciated, as I can't seem to get anything out of msdn's documentation.