I'm working on secured web site that handling WCF REST services. Everything work fine untill I started to secured my site. I changed the authentication mode form anonymous to windows authentication and implemeted the autorization inside global.asax file.
For the website who design by MVC architecture and using internal services everything working as expected but the REST API is not working well.
I've addd the security configuration to web.config binding section as following:
<binding name="webHttpBindingWindows">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm"></transport>
</security>
</binding>
and:
<binding name="webHttpBindingWindows">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="Windows"></transport>
</security>
</binding>
and with and without:
<extendedProtectionPolicy policyEnforcement="WhenSupported"></extendedProtectionPolicy>
but I got this exception:
The extended protection settings configured on IIS do not match the settings configured on the transport. The ExtendedProtectionPolicy.PolicyEnforcement values do not match. IIS has a value of WhenSupported while the WCF Transport has a value of Never.
Did anyone have an idea how to solve it?
If i'm setting extended protection on IIS to off I can't authenticat at all. (I have browser pop-up but can't login with any user account.)
Thanks, Naftali.
Eventually I got solution for this issue:
the changes was on three different places:
off
. Kernel mode authentication should be enabled
. Two changes on the web configuration file:
<transport clientCredentialType="Ntlm"></transport>
Inside the services configurations <endpoint address="mex" … />
insetead of address="rest"
public void WindowsAuthentication_OnAuthenticate(object sender, WindowsAuthenticationEventArgs args)
now it's working like a Ninja!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With