Why is my WCF Rest Service on IIS7 Authenticating TWICE!?!?
Posted
by TheAggie
on Stack Overflow
See other posts from Stack Overflow
or by TheAggie
Published on 2010-04-02T18:36:26Z
Indexed on
2010/04/02
18:43 UTC
Read the original article
Hit count: 839
Ok, if someone could shed some light on this for me, I would greatly appreciate it. So here we go. I had a rest service running fine the other day but after I accidentally overwrote the web.config all hell broke loose. I've spent the past day and a half trying to sort things out but I can't seem to figure out what is missing or misplaced.
So, I've designed this service around WCF Rest Contrib (http://wcfrestcontrib.codeplex.com)'s authentication process. Now, I can get this working fine on my localhost w/ the current web.config (minus the endpoint entry) but once I upload it to discountasp and select "basic authorization" in the ISS7 Manager, it appears that I'm getting authenticated twice! Once using my discount asp.net user/pass and then the next time using the application user/pass. Unfortunately I only provide one set of credentials and don't want to hard code my discountasp account info into the app. Like I said before, this worked fine a few days ago. Anyway. here is my web.config as it is now:
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="SQL2008_ConnectionString" connectionString="Data Source=sql2k8xx.discountasp.net;Initial Catalog=SQL2008_xx;Persist Security Info=True;User ID=SQL2008_xx_user;Password=myPass"
providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<httpRuntime maxRequestLength="204800" executionTimeout="3600"/>
<compilation debug="true">
<assemblies>
<add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</assemblies>
</compilation>
<httpModules>
<add name="ServiceAnonymityModule" type="WcfRestContrib.Web.ServiceAnonymityModule, WcfRestContrib"/>
</httpModules>
</system.web>
<system.codedom>
<compilers>
<compiler language="c#;cs;csharp" extension=".cs" warningLevel="4" type="Microsoft.CSharp.CSharpCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<providerOption name="CompilerVersion" value="v3.5"/>
<providerOption name="WarnAsError" value="false"/>
</compiler>
</compilers>
</system.codedom>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<remove name="ServiceAnonymityModule"/>
<add name="ServiceAnonymityModule" type="WcfRestContrib.Web.ServiceAnonymityModule, WcfRestContrib"/>
</modules>
<handlers>
<remove name="WebServiceHandlerFactory-Integrated"/>
</handlers>
</system.webServer>
<system.diagnostics>
<trace autoflush="true" />
</system.diagnostics>
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="false">
<baseAddressPrefixFilters>
<add prefix="http://www.mydomain.com/myServiceBaseAddress"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<extensions>
<behaviorExtensions>
<add name="webAuthentication" type="WcfRestContrib.ServiceModel.Configuration.WebAuthentication.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.5.0, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
<add name="errorHandler" type="WcfRestContrib.ServiceModel.Configuration.ErrorHandler.BehaviorElement, WcfRestContrib, Version=1.0.5.0, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
<add name="webFormatter" type="WcfRestContrib.ServiceModel.Configuration.WebDispatchFormatter.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.5.0, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
<add name="webErrorHandler" type="WcfRestContrib.ServiceModel.Configuration.WebErrorHandler.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.5.0, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
</behaviorExtensions>
</extensions>
<bindings>
<customBinding>
<binding name="HttpStreamedRest">
<httpTransport maxReceivedMessageSize="209715200" manualAddressing="true" />
</binding>
<binding name="HttpsStreamedRest">
<httpsTransport maxReceivedMessageSize="209715200" manualAddressing="true" />
</binding>
</customBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="Rest">
<webAuthentication
requireSecureTransport="false"
authenticationHandlerType="WcfRestContrib.ServiceModel.Dispatcher.WebBasicAuthenticationHandler, WcfRestContrib"
usernamePasswordValidatorType="MyLibrary.Runtime.SecurityValidator, MyLibrary"
source="MyRESTServiceRealm"/>
<webFormatter>
<formatters defaultMimeType="application/xml">
<formatter mimeTypes="application/xml,text/xml" type="WcfRestContrib.ServiceModel.Dispatcher.Formatters.PoxDataContract, WcfRestContrib"/>
<formatter mimeTypes="application/json" type="WcfRestContrib.ServiceModel.Dispatcher.Formatters.DataContractJson, WcfRestContrib"/>
<formatter mimeTypes="application/x-www-form-urlencoded" type="WcfRestContrib.ServiceModel.Dispatcher.Formatters.FormUrlEncoded, WcfRestContrib"/>
</formatters>
</webFormatter>
<errorHandler errorHandlerType="WcfRestContrib.ServiceModel.Web.WebErrorHandler, WcfRestContrib"/>
<webErrorHandler
returnRawException="true"
logHandlerType="MyLibrary.Runtime.LogHandler, MyLibrary"
unhandledErrorMessage="An error has occured processing your request. Please contact technical support for further assistance."/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
So, whenever I upload this and change the ISS setting to Basic Authentication, it looks like it is trying to use the default handler for authentication as if I try to enter my web app user/pass, I get an error screen which has the following detailed information about the moduel/handler
Detailed Error Information
Module: IIS Web Core
Notification: AuthenticateRequest
Handler: svc-ISAPI-2.0
Error Code: 0x80070005Requested URL: http://www.mydomain.com:80/MyService.../MyService.svc
Physical Path: E:\web\xxxxxx\htdocs\MyServiceBaseAddress\MyService.svc
Logon Method: Not yet determined
Logon User: Not yet determined
Now for the fun stuff... i tried providing my discountasp.net account username/password for kicks and sure enough it responded properly for any [OperationContract] which doesn't have [OperationAuthentication] defined (which is only one or two of the operations I have).
I thought this was strange, so I looked at fiddler and saw something interesting.
Whenever I try request a procedure with [OperationAuthentication] defined and provide my discountasp.net username/pass I get two different "WWW-Authenticate" headers back in Fiddler:
WWW-Authenticate: Basic realm="MyRESTServiceRealm"
WWW-Authenticate: Basic realm="www.mydomain.com"
On the other hand, if I try to access the same procedures with only my application's user/pass, I only get the site's header:
WWW-Authenticate: Basic realm="www.mydomain.com"
My hypothesis is that for some reason I'm having to pass through the default "Basic Authorization" layer set by IIS before I can get to the application's "Custom Basic Authorization" layer.
After verifying this by created an identical user/pass for my service that I use for my discountasp.net account, I was able to successfully pass both layers of authentication without any issues... so I think I can conclude that this is indeed the issue. Now how do I disable the default one? Do I need to do this in the IIS Manager, or in the web.config?
Anyway, I have absolutely no idea how this is possible or what I need to do to resolve the issue, but I know that something is seriously out of whack.
Any suggestions would be greatly appreciated! Thanks.
© Stack Overflow or respective owner