Castle Windsor w/ WCF Facility: Integrated Windows Authentication failure
300 views
Skip to first unread message
Matt Barrett
Aug 7, 2008, 12:02:30 PM8/7/08
to Castle Project Development List
Hi all,
I'm running into what may be a simple configuration error, but I've
been trying to isolate the problem for quite some time so thought I'd
ask here in case it has been seen before.
I'm using WCF on the .NET Framework 3.5, on Windows XP SP2, so IIS5.
I'm developing in Visual Studio 2008, and have a fully working REST
WCF service up and running, using Windsor for DI. My problem is that
with the WCF Facility installed and working, I'm trapped between two
(very) less than optimal solutions.
I get the following exception when IIS is configured with both
Anonymous and Integrated Windows authentication - exactly as stated.
If I turn off IntegratedWindowsAuthentication, I can't debug - but
everything else works perfectly. Obviously this isn't great as a
development experience.
> Server Error in '/WCF Application.
> IIS specified authentication schemes 'IntegratedWindowsAuthentication, Anonymous', but the binding only
> supports specification of exactly one authentication scheme. Valid authentication schemes are Digest,
> Negotiate, NTLM, Basic, or Anonymous. Change the IIS settings so that only a single authentication scheme
> is used.
If I turn on IntegratedWindowsAuthentication, but turn off Anonymous,
I'm told that the HTTP factory (for the binding httpTransport) does
not support IntegratedWindowsAuthentication.
> The 'IntegratedWindowsAuthentication' authentication scheme has been specified on the HTTP factory.
> However, the factory only supports specification of exactly one authentication scheme. Valid authentication
> schemes are Digest, Negotiate, NTLM, Basic, or Anonymous.
So it seems that without the Windsor WCF Facility being responsible
for creating the ServiceHost, WCF itself does just fine, and specifies
only Anonymous authentication when IIS specifies both as being valid.
Does anyone have any pointers on how to fix this, or where I should
look in the code to try and fix the problem? The stack trace isn't
very revealing, as there doesn't seem to be a way to change the
behaviour.
Thanks for any help.
Matt
I'm running into what may be a simple configuration error, but I've
been trying to isolate the problem for quite some time so thought I'd
ask here in case it has been seen before.
I'm using WCF on the .NET Framework 3.5, on Windows XP SP2, so IIS5.
I'm developing in Visual Studio 2008, and have a fully working REST
WCF service up and running, using Windsor for DI. My problem is that
with the WCF Facility installed and working, I'm trapped between two
(very) less than optimal solutions.
I get the following exception when IIS is configured with both
Anonymous and Integrated Windows authentication - exactly as stated.
If I turn off IntegratedWindowsAuthentication, I can't debug - but
everything else works perfectly. Obviously this isn't great as a
development experience.
> Server Error in '/WCF Application.
> IIS specified authentication schemes 'IntegratedWindowsAuthentication, Anonymous', but the binding only
> supports specification of exactly one authentication scheme. Valid authentication schemes are Digest,
> Negotiate, NTLM, Basic, or Anonymous. Change the IIS settings so that only a single authentication scheme
> is used.
If I turn on IntegratedWindowsAuthentication, but turn off Anonymous,
I'm told that the HTTP factory (for the binding httpTransport) does
not support IntegratedWindowsAuthentication.
> The 'IntegratedWindowsAuthentication' authentication scheme has been specified on the HTTP factory.
> However, the factory only supports specification of exactly one authentication scheme. Valid authentication
> schemes are Digest, Negotiate, NTLM, Basic, or Anonymous.
So it seems that without the Windsor WCF Facility being responsible
for creating the ServiceHost, WCF itself does just fine, and specifies
only Anonymous authentication when IIS specifies both as being valid.
Does anyone have any pointers on how to fix this, or where I should
look in the code to try and fix the problem? The stack trace isn't
very revealing, as there doesn't seem to be a way to change the
behaviour.
Thanks for any help.
Matt
Hamilton Verissimo
Aug 10, 2008, 11:47:10 PM8/10/08
to castle-pro...@googlegroups.com
I pledge ignorance on all WCF stuff. Craig, could you shed some light on this?
--
Cheers,
hamilton verissimo
ham...@castlestronghold.com
http://www.castlestronghold.com/
Craig Neuwirt
Aug 11, 2008, 9:08:14 AM8/11/08
to castle-pro...@googlegroups.com
I think this may be a result of stuff that is internal the MS Code that I can't easily access when I create default service hosts. Can you create a unit test for me so I can try it out.
craig
craig
Ruprict
Aug 13, 2008, 8:21:01 AM8/13/08
to Castle Project Development List
Are we thinking this is an IIS5 issue? We can debug just fine on
Server 2003 (IIS6.0).
Can you post your system.serviceModel config (presuming you have that)
or, if not, the Windsor config?
On Aug 11, 6:08 am, "Craig Neuwirt" <cneuw...@gmail.com> wrote:
> I think this may be a result of stuff that is internal the MS Code that I
> can't easily access when I create default service hosts. Can you create a
> unit test for me so I can try it out.
>
> craig
>
> On Thu, Aug 7, 2008 at 11:02 AM, Matt Barrett
> <adigitalaesthe...@gmail.com>wrote:
Server 2003 (IIS6.0).
Can you post your system.serviceModel config (presuming you have that)
or, if not, the Windsor config?
On Aug 11, 6:08 am, "Craig Neuwirt" <cneuw...@gmail.com> wrote:
> I think this may be a result of stuff that is internal the MS Code that I
> can't easily access when I create default service hosts. Can you create a
> unit test for me so I can try it out.
>
> craig
>
> On Thu, Aug 7, 2008 at 11:02 AM, Matt Barrett
Craig Neuwirt
Aug 13, 2008, 8:41:32 AM8/13/08
to castle-pro...@googlegroups.com
I don't think so. Can you create a patch that will let me see exactly what you are seeing to help resolve this?
Ruprict
Aug 13, 2008, 12:10:43 PM8/13/08
to Castle Project Development List
Well, we really didn't do much, and none of it has to do with the WCF
Facility.
Just make sure that the virtual directory has Integrated Windows Auth
and Anonymous Auth and we can mount the process, no issues.
The areas we had big time problems was impersonating the caller, which
we finally did figure out by adding
<bindings>
<webHttpBinding>
<binding name="BookmarkBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</webHttpBinding>
</bindings>
to the config.
However, I don't see that helping here.
On Aug 13, 5:41 am, "Craig Neuwirt" <cneuw...@gmail.com> wrote:
> I don't think so. Can you create a patch that will let me see exactly what
> you are seeing to help resolve this?
>
Facility.
Just make sure that the virtual directory has Integrated Windows Auth
and Anonymous Auth and we can mount the process, no issues.
The areas we had big time problems was impersonating the caller, which
we finally did figure out by adding
<bindings>
<webHttpBinding>
<binding name="BookmarkBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</webHttpBinding>
</bindings>
to the config.
However, I don't see that helping here.
On Aug 13, 5:41 am, "Craig Neuwirt" <cneuw...@gmail.com> wrote:
> I don't think so. Can you create a patch that will let me see exactly what
> you are seeing to help resolve this?
>
Ruprict
Aug 13, 2008, 5:52:46 PM8/13/08
to Castle Project Development List
Have y'all seen the WCF Security guide that MS just put out on
CodePlex? Not sure if it'll help, but it's pretty comprehensive.
http://www.codeplex.com/WCFSecurity
It *may * help.
CodePlex? Not sure if it'll help, but it's pretty comprehensive.
http://www.codeplex.com/WCFSecurity
It *may * help.
Craig Neuwirt
Aug 14, 2008, 9:24:08 AM8/14/08
to castle-pro...@googlegroups.com
Haven't seen that yet, but I'll take a look and see if it helps.
thx
thx
Matt Barrett
Aug 19, 2008, 8:48:54 AM8/19/08
to Castle Project Development List
Hi all,
Sorry for disappearing after posting my question. Thanks for all the
follow ups.
On Aug 13, 5:10 pm, Ruprict <glenn.goodr...@gmail.com> wrote:
> Well, we really didn't do much, and none of it has to do with the WCF
> Facility.
>
> Just make sure that the virtual directory has Integrated Windows Auth
> and Anonymous Auth and we can mount the process, no issues.
>
> The areas we had big time problems was impersonating the caller, which
> we finally did figure out by adding
>
> <bindings>
> <webHttpBinding>
> <binding name="BookmarkBinding">
> <security mode="TransportCredentialOnly">
> <transport clientCredentialType="Windows" />
> </security>
> </binding>
> </webHttpBinding>
> </bindings>
>
> to the config.
>
> However, I don't see that helping here.
It may not help, but I am using a custom binding, as I am using a
custom message encoder. I can't specify the above configuration
settings in a custom binding, and there doesn't seem to be an
equivalent configuration element(s).
If I switch out my custom binding configuration for the webHttpBinding
specified above, I get exactly the same behaviour as I originally
outlined.
Also, this problem disappears when we move to IIS7 (w/ integrated
pipeline) on Windows Server 2008. I'd still like to get it fixed for
XP, though, so I'll keep plugging away.
I'm happy to try and create a patch or unit test for this issue, but
I'm not really sure of the best way to isolate it.
Given that it appears to be Windows XP/IIS5 specific, a IIS-hosted web
app project may be the best way forward. Shall I try and create one
that isolates the problem?
Regards
Matt
Sorry for disappearing after posting my question. Thanks for all the
follow ups.
On Aug 13, 5:10 pm, Ruprict <glenn.goodr...@gmail.com> wrote:
> Well, we really didn't do much, and none of it has to do with the WCF
> Facility.
>
> Just make sure that the virtual directory has Integrated Windows Auth
> and Anonymous Auth and we can mount the process, no issues.
>
> The areas we had big time problems was impersonating the caller, which
> we finally did figure out by adding
>
> <bindings>
> <webHttpBinding>
> <binding name="BookmarkBinding">
> <security mode="TransportCredentialOnly">
> <transport clientCredentialType="Windows" />
> </security>
> </binding>
> </webHttpBinding>
> </bindings>
>
> to the config.
>
> However, I don't see that helping here.
custom message encoder. I can't specify the above configuration
settings in a custom binding, and there doesn't seem to be an
equivalent configuration element(s).
If I switch out my custom binding configuration for the webHttpBinding
specified above, I get exactly the same behaviour as I originally
outlined.
Also, this problem disappears when we move to IIS7 (w/ integrated
pipeline) on Windows Server 2008. I'd still like to get it fixed for
XP, though, so I'll keep plugging away.
I'm happy to try and create a patch or unit test for this issue, but
I'm not really sure of the best way to isolate it.
Given that it appears to be Windows XP/IIS5 specific, a IIS-hosted web
app project may be the best way forward. Shall I try and create one
that isolates the problem?
Regards
Matt
Ruprict
Aug 20, 2008, 5:57:21 AM8/20/08
to Castle Project Development List
Sure...if you can give me a bare bones version of what you are doing
(a la, the Hello World type service) I can try and look at it here (in
IIS6, tho)
(a la, the Hello World type service) I can try and look at it here (in
IIS6, tho)
Matt Barrett
Aug 20, 2008, 9:53:56 AM8/20/08
to Castle Project Development List
On Aug 20, 10:57 am, Ruprict <glenn.g...@gmail.com> wrote:
> Sure...if you can give me a bare bones version of what you are doing
> (a la, the Hello World type service) I can try and look at it here (in
> IIS6, tho)
I've reproduced the behaviour in as simple a project/service as I
think is possible. Of course, this may be dependent on IIS5/XP so you
may not have any luck, but its worth a try.
I also spent a bit of time spelunking
System.ServiceModel.Web.WebServiceHost with Reflector. The offending
behaviour seems to have quite a bit to do with
SetBindingCredentialBasedOnHostedEnvironment and a call to
ServiceHostingEnvironment.IsSimpleApplicationHost. I haven't played
with it via reflection at run time yet, but it is something I indeed
to get to over the next few days.
Cheers
Matt
Reply all
Reply to author
Forward
0 new messages