ASMX web service to allow anonymous access

Question

I am experiencing an authorization error for an asmx web service that I developed. The web service itself does not require any user credentials, but it seems like the web service is configured to enforce that, although I tried to set the configuration such as to allow for anonymous access:

I have set the corresponding web site in IIS to allow for anonymous access:

Further I have included the following lines in the web.config:

<configuration>
    ...
    <system.web>
        ...
        <authorization>
            <allow users="*"/>
        </authorization>
        ...
    </system.web>
    ...
</configuration>

When trying to call the web service from a test client, I get this error message:

The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'NTLM'.

The line of code calling the web service looks like this:

string message = new ServiceReference1.Service1SoapClient().HelloWorld();

And the code of the web service:

[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[System.ComponentModel.ToolboxItem(false)]
public class Service1 : System.Web.Services.WebService
{
    [WebMethod]
    public string HelloWorld()
    {
        return "Hello World";
    }
}

Some important points:

• If I try and set the client to authenticate using NTLM, it works fine.
• If I try and set the client not to authenticate, it fails with the message above.
• If I try and access the web service using a web browser, I also get a FORBIDDEN error message instead of the expected web service documentation page.
• If I run the web service from within Visual Studio and configure the client to access that service (localhost...), it works fine.
• See below for even more details

---

I also tried and put the authorization tag within a location tag pointing to the web service:

<location path="Service1.asmx">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>

This is how the client configuration (app.config) looks like (please note that as mentioned above, I can't even access the service using a web browser, so I dont' consider the client configuration relevant):

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="Service1Soap" closeTimeout="00:01:00" openTimeout="00:01:00"
                    receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
                    bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                    useDefaultWebProxy="true">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <security mode="None">
                        <transport clientCredentialType="None" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="UserName" algorithmSuite="Default" />
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <client>
            <endpoint address="http://name.of.the.server.example.org/Service1.asmx"
                binding="basicHttpBinding" bindingConfiguration="Service1Soap"
                contract="ServiceReference1.Service1Soap" name="Service1Soap" />
        </client>
    </system.serviceModel>
</configuration>

Any Ideas?

---

Update: I found the following file:

C:\WINNT\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\web.config

Does it have any relevance to a custom web application, and if yes, don't the settings of my own web.config override the settings of that file?

Contents of that file:

<configuration>
    <system.web>
        <membership>
            <providers>
                <add name="WebAdminMembershipProvider" type="System.Web.Administration.WebAdminMembershipProvider" />
            </providers>
        </membership>
        <httpModules>
            <add name="WebAdminModule" type="System.Web.Administration.WebAdminModule"/>
        </httpModules>
        <authentication mode="Windows"/>
        <authorization>
            <deny users="?"/>
        </authorization>
        <identity impersonate="true"/>
       <trust level="Full"/>
       <pages validateRequest="true"/>
       <globalization uiCulture="auto:en-US" />
    </system.web>
</configuration>

Though there is another file:

C:\WINNT\Microsoft.NET\Framework\v2.0.50727\config\web.config

And I think that rather this one is the system-wide web.config file. This file in fact allows access to all users:

<system.web>
    <authorization>
        <allow users="*"/>
    </authorization>

Answer 1

* means authenticated users, you need to use ? instead.

Try disabling authentication for the whole web site:

<system.web>
  <authentication mode="None" />
  <authorization>
    <allow users="?" />
  </authorization>
</system.web>

Do this check: create test.txt file and try accessing it from web browser. Do you get 'Access Denied' error?

Next, try opening non-existing aspx page, e.g. blah.aspx. You should get 404 error, not Access Denied.

Answer 2

Have you checked for a higher level web.config and/or machine.config that are contributing configuration settings to your app?