1

I have a WCF service with netTCPBinding hosted in Server 'A' in IIS with the default security (mode=Transport). So, obviously it uses Windows authentication. This WCF Service is consumed via a ASP.Net web application hosted in Server 'B' in IIS and everything works fine until I turn on Windows authentication for the Web Application. When Windows authentication is turned on, I am getting the below error. The anonymous auth has been turned off and only Windows Authentication is enabled in IIS

System.IdentityModel.Tokens.SecurityTokenValidationException: The service does not allow you to log on anonymously.
   at System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(WindowsIdentity identity, Boolean allowUnauthenticatedCallers)
   at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeAcceptor.CreateClientSecurity(NegotiateStream negotiateStream, Boolean extractGroupsForWindowsAccounts)
   at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeAcceptor.OnAcceptUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
   at System.ServiceModel.Channels.StreamSecurityUpgradeAcceptorBase.AcceptUpgrade(Stream stream)
   at System.ServiceModel.Channels.InitialServerConnectionReader.UpgradeConnection(IConnection connection, StreamUpgradeAcceptor upgradeAcceptor, TimeSpan openTimeout, IDefaultCommunicationTimeouts defaultTimeouts)
   at System.ServiceModel.Channels.ServerSessionPreambleConnectionReader.ServerFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Dispatcher.ChannelHandler.OpenAndEnsurePump()

Now, when both the WCF Service & the web application are in the same server it works fine. The issue arises only when different servers come into picture and anything other than Windows Authentication is working fine as well. FYI the servers are in trusted domain.

Below is the WCF Service config

<system.serviceModel>
        <behaviors>
            <endpointBehaviors>
                <behavior name="BehaviorA">
                    <clientCredentials>
                        <windows />
                    </clientCredentials>
                </behavior>
            </endpointBehaviors>
            <serviceBehaviors>
                <behavior name="Service1Behavior">
                    <dataContractSerializer maxItemsInObjectGraph="2147438647" />
                    <serviceCredentials>
                        <windowsAuthentication />
                    </serviceCredentials>
                    <serviceDebug includeExceptionDetailInFaults="true" />
                    <serviceMetadata httpGetEnabled="false" />
                    <serviceThrottling maxConcurrentCalls="1000" maxConcurrentInstances="1000" maxConcurrentSessions="1000" />
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <bindings>
            <mexTcpBinding>
                <binding name="MaxiMexBinding" />
            </mexTcpBinding>
            <netTcpBinding>
                <binding closeTimeout="00:01:00" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="100" maxReceivedMessageSize="2147483647" name="PortSharingBinding" openTimeout="00:01:00" portSharingEnabled="true" receiveTimeout="10675199.02:48:05.4775807" sendTimeout="00:01:00" transactionFlow="false" transactionProtocol="OleTransactions" transferMode="Buffered">
                    <readerQuotas maxArrayLength="2147438647" maxBytesPerRead="2147438647" maxDepth="2147438647" maxNameTableCharCount="2147438647" maxStringContentLength="2147438647" />
                    <reliableSession enabled="false" inactivityTimeout="00:10:00" ordered="true" />
                    <security mode="Transport">
                        <transport protectionLevel="EncryptAndSign"/>
                    </security>
                </binding>
            </netTcpBinding>
        </bindings>
        <diagnostics>
            <messageLogging logEntireMessage="true" logMalformedMessages="false" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="2147483647" maxSizeOfMessageToLog="2147483647" />
        </diagnostics>
        <services>
            <service behaviorConfiguration="Service1Behavior" name="Test">
                <endpoint address="" binding="netTcpBinding" bindingConfiguration="PortSharingBinding" contract="MyContract" name="Ep1">
                </endpoint>
                <host>
                    <baseAddresses>
                        <add baseAddress="net.tcp://mydomain.com:808/MyWcf.svc" />
                    </baseAddresses>
                </host>
            </service>
        </services>
    </system.serviceModel>

Client Configuration uses the same as above and so no major issues with that.

Would be great if someone could help me with this.

Ajay
  • 11
  • 1
  • The endpoint behavior name "BehaviorA" is not mentioned anywhere else in the configuration sample you provided, so have you checked whether this is being applied? As far as I am aware this needs to be specified by the `behaviorConfiguration` attribute on the endpoint, or it won't take effect. – Tom W Jun 16 '20 at 05:15
  • This may be caused by the fact that your client and server are not in the same window domain,Please refer to this link:https://stackoverflow.com/questions/62328027/net-core-3-1-api-calling-net-framework-wcf-service-secured-using-windows-authe/62337856#62337856. – Ding Peng Jun 16 '20 at 07:42
  • @TomW - Yep the behavior configuration is applied and all good. – Ajay Jun 16 '20 at 22:48
  • @Dingpeng - Nope it is not the same issue – Ajay Jun 16 '20 at 22:49
  • You can try setting clientcredentials before using the proxy class, like this: proxy.ClientCredentials.Windows.ClientCredential.Domain = ""; proxy.ClientCredentials.Windows.ClientCredential.UserName = ""; proxy.ClientCredentials.Windows.ClientCredential.Password = ""; – Ding Peng Jun 17 '20 at 01:58

0 Answers0