WCF web Service - Hosting in IIS 6.0 with Windows Authentication and Web client impersonation

As we all know, Hosting a WCF service and configuring authentication is not the same as we do for ASMX. There are many changes and the way we get credentials in service code and on server etc. I am not going to get deep into it, THIS LINK however here is another blog post which talks in great details about it hosting WCF service in IIS.

There is a small / Big (?) difference between ASMX and WCF with respect to hosting, and interestingly there is a compatibility mode for this same, THIS ARTICLE is great read on it.

 Now, without wasting much of time, here is the problem in hand. 

1. Need to create a WCF service which access Data Base

2. Then host it in IIS 6.0 (not IIS 7.0)

3. Make it Windows integrated Authentication

 4. Build an ASP.NET client and consume service.

 Simple enough? Interestingly there are some tweaks,

 Here are the steps. (I am using windows 2003 server and Visual studio 2008 with Sp1 and .NET framework 3.5)

1. With Visual studio, Create a WCF web service.

2. In IIS 6.0 create a different app pool and use that App pool for this service, Turn on the Windows integrated Auth and uncheck the Anonymous auth (For all the documents and pages or whatever)

3. Then edit the endpoint configuration. You need to use basicHTTPBinding, Here is the code snippet inside the service model tag

<

system.serviceModel>

<

bindings>

<

basicHttpBinding>

<

binding name="BasicHttpEndPointBinding">

<

security mode="TransportCredentialOnly">

<

transport clientCredentialType="Windows"/>

</

security>

</

binding>

</

basicHttpBinding>

</

bindings>

4. Once this is done, try debugging the service by requesting the .SVC file. You should get a credential prompt. Everything work fine till here.

5. Create a ASP.NET web app, turn on windows Auth and turn off Anonymous auth. Create a service ref and write a code to access the service.

6. Now here is the interesting part. In most of the cases, you will have a service account which has given the access to DB, and you would like web service to run under that user account. To do this you would go and run the app pool created for WCF service under service account (This is the AD account). Once you do the the application pool will crash saying the user identity should be in SPN. (Need to make changes on Domain controller and all)

7. The above is not the part of solution, so here is what you do, Enable the IIS metabase edit enabled.

8. Open the IIS metadata file wich is in System32/inetsrv/metabase.xml and find IISWebServer tag in there corrosponding to  you app pool name. Add this in there NTAuthenticationProviders=" Negotiate ,NTLM"

9. Close the IIS metabase xml file and restart the IIS. After doing this, Add this service account to IIS_WPG account. This is very important. Also you do not want <identity impersonate = "true"> for your service.

10. Now, on the client side (Your web app) if you are using the same app pool with Windows Auth, then it will work only on your local machine (Hop Problem), So for web application user the default app pool with network service as user.

You should be good now.