다음을 통해 공유


Disabling Anonymous Authenticaiton on IIS for Message Security and Impersonation

When hosting WCF services in IIS we would ideally want to disable anonymous authenticaion on a website when there are other resources or type of endoints being hosted on that site. The solution to this is not quite obvious.The problem basically is that we have a situation where there are double identities coming into play. Basically this is because the message identintiy for message secuirty and the transport identity from IIS, both come into the picture and WCF doest know which one to pick and hence falls back to anonymous and then you get this exception.

 “Cannot start impersonation because the SecurityContext for the UltimateReceiver role from the request message with the 'https://tempuri.org/<Service>/<Action>' action is not mapped to a Windows identity.”

I was out the whole day trying to figure out how can i get this thing working. Finally Wenlong put up a full post "Impersonation with Double Identities"  that explained this whole scenario.

But if you just want to get your binding up and running with impersonation and message level security this should work with anonymous authentication.

<customBinding>

  <binding name="MyService">

    <security authenticationMode="SspiNegotiated">

    </security>

    <textMessageEncoding/>

    <httpTransport/>

  </binding>

</customBinding>

Pleaes note that you dont need to enable integrated windows authentication for this to work and SspiNegotiated will take care of this and your identity will flow through even if your Virtual directory is not setup with integrated windows authentication.

Comments

  • Anonymous
    December 16, 2007
    There is a security feature of WCF services hosted under IIS that I find poorly implemented. In all honesty,

  • Anonymous
    May 18, 2011
    <security authenticationMode="SspiNegotiated"> does not exist!!

  • Anonymous
    May 31, 2011
    <security authenticationMode="SspiNegotiated"> does not exist!!

  • Anonymous
    July 28, 2011
    Cheers for this, been trawling the web for hours and this is the only thing that worked. This comment: <security authenticationMode="SspiNegotiated"> does not exist!! is a nonesense, it does.