Authentication settings in IIS Manager versus web.config versus system.serviceModel

I have a WCF web service, and I want to use Basic authentication. I am getting lost in the authentication options:

  • In IIS 6 Manager, I can go in to the properties of the web site and set authentication options.
  • In the web site's web.config file, under system.web, there is an <authentication mode="Windows"/> tag
  • In the web site's web.config file, under system.serviceModel, I can configure:

      <binding name="MyBinding">
        <security mode="Transport">
          <transport clientCredentialType="Basic"/>

What is the difference between these three? How should each be configured?

Some context: I have a simple web site project that contains a single .svc web service, and I want it to use Basic authentication over SSL. (Also, I want it to not use Windows accounts, but maybe that is another question.)


The first two are really about access to an ASP.NET virtual directory or virtual application in IIS6 - that has basically nothing to do with WCF (WCF is actually not part nor dependent on ASP.NET). The settings control how the HTTP request coming into the IIS6 web server is being handled in terms of authentication. This basically controls whether anonymous callers from the internet can just call in without authenticating, or whether they need to enter username/password, or whether only callers with a valid Windows identity in this domain are allowed in.

The only reason this is interesting to your WCF service is the fact that when you host the WCF service in IIS (only one of the many options), then you have a (myservice).svc file that needs to reside inside a virtual directory. Of course, access to that SVC file is controlled by the authentication settings of IIS6/ASP.NET.

The security mode inside the <wsHttpBinding> section is the security-related definition of how the WCF service will communicate with its clients. Mode=Transport means, you're securing the actual transport layer - typically using SSL - not each message separately. This setting works great in Intranet scenarios where you have all clients behind a corporate firewall - but it won't work too well in Internet scenarios, since you can't really control the whole chain from the client (anywhere on this planet) over a series of intermediary hops to your server - you just can't. In this case, you'd have to use Mode=Message which basically encrypts and signs each message that goes over the wires - that works over any number of routers and relays along the way from the point of origin to your server.

The first two are related, if they don't match your service will not be able to activate. If you choose Windows authentication obviously there is an assumption that you will be tied to a windows domain or local machine.

Since you are going to be doing SSL basic authentication you are going to set this to None and then configure your transport security.

Your one stop shop for setting up transport + basic authentication

MSDN Article on Transport+Username + Windows Forms

I am not sure if you are still planning out how you are going to be doing security but i would recommend thinking about using message security versus transport(personal bias toward message security)..

Transport vs Message Comparison

Patterns & Practices on Message and Transport Security

Need Your Help

Can eclipse pydev interpret a file as a python file without a suffix

python eclipse pydev

If I have a python file that has no suffix. Can pydev read that file as a python file using the first line of the file if it includes a #!/usr/bin/python? I'm not really concerned specifically ab...

redis hget returns null in code snippet but works in redis-cli

node.js redis node-redis

for (i=0 ; i &lt; pri.state.totalConversations; i++) {