0

I have read this post How can I use WCF with only basichttpbinding, SSL and Basic Authentication in IIS? It seems working fine if I set the clientCredentialType to "Basic",however when I set the clientCredentialType to "Windows" ,the Anonymous user can access my services.

Can someone shine some light on this?How can I disable Anonymous users.I have already disable it in ISS 7.5. What are the differeces betwee basic Authentication and Windows Authentication ?

Update when I set the clientCredentialType to "Windows" and I browse to my service url https://ServerName/myservice.svc,I am prompt with a login window ,however I can just type OK without type in User Name and Password , I can still see the service information page.However if I create a.html page on the virtual directory,then I have to enter user name and password.Otherwise I can not see the page.

Community
  • 1
  • 1
Ybbest
  • 1,520
  • 3
  • 29
  • 43

1 Answers1

0

Basic authentication takes an arbitrary username and password. Windows authentication sends the credentials of the currently logged in user (assuming the user is running windows) and is only really useful when both client and server are on the same domain.

It's also worth nothing that as sending windows login information across the internet is a potential security issue, firefox and more recent versions of IE won't send the credentials unless explicitly told to (a config setting for FF, moving the site to the "Trusted" zone for IE)

Basic
  • 26,321
  • 24
  • 115
  • 201
  • but why when I set the clientCredentialType to "Windows" ,the Anonymous user can access my services.Even though I disable the Anonymous user. – Ybbest Dec 19 '10 at 08:13
  • Firstly - Is the server on the same domain as you are? Next, how are you disabling anonymous access? in Code? In Config? In IIS? – Basic Dec 19 '10 at 14:12
  • Yes the server is on the same domain as I am and I am disabling anonymous access in IIS. – Ybbest Dec 19 '10 at 21:11
  • I'm not sure about bypassing the login. I think that is an IIS issue, not WCF. But I just wanted to mention that just because you can access the service metadata page doesn't mean your services are exposed. Metadata is usually exposed through a different endpoint (a mex endpoint) than the actual service and you may be only modifying the service's endpoint when setting Windows authentication. – xr280xr Oct 03 '12 at 16:00