The Problem

I have a WCF webservice that I am hosting as a webservice in IIS7.5. I want this service to only be accessible by two groups. The webservice is running successfully, although there does not seem to be any authentication being done.

I was under the impression ( having read gobs of MSDN pages attesting to this) that all one really had to do was enable Windows Authentication on the Application site, disable Anonymous Authentication, set the mode to windows in the web.config and add Allow/Deny rules to the authorization section as diaplayed below:

<system.web>
  <authentication mode="Windows" />
  <compilation debug="false" strict="false" explicit="true" targetFramework="4.0" />
  <pages /> <!-- Omitted -->
  <authorization>
    <a开发者_Python百科llow roles="Managers" />
    <allow roles="Operations" />
    <deny users="*" />
    <deny users="?" />
  </authorization>
</system.web>

With the above steps and web.config changes done, and after going to the Authorization page in IIS and reloading the Auth rules, calling the service through the WCFTestclient shows it working flawlessly. Except I am not part of either of those two groups...

The Questions

It looks like it is just letting anyone in. My questions are these:

1. Is there a way to see passed and failed authentication checks on the webservice? (If so, I can see if any kind of authentication is going on).
2. Does the above look correct? It seems a bit simple, but given the Microsoft Method, it is not far fetched that something so standard would be fairly simple to set up.

Bottom-line

I have a service with the above web.config file, and an IIS7.5 instance with Windows Authentication installed and enabled. Anonymous Authentication is disabled. Auth rules are defined for two groups to have access, and all others to be denied and yet despite the fact that I am in those groups, I can access the service.

EDIT:

So I appear to have authentication working. If I only have the Allow All Users rule in place, I have access to the webservice. If I enact a Deny All Users rule, I no longer have access. However, if I add my account ("domain\MyAccount" as an allow (regardless of position in the web.config) I still don't have access.

What I have changed to get here, Added the following to the service definition:

<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Required)> _

Added the following to the web.config:

<system.web>
    <authentication mode="Windows"/>
    <authorization>
      <deny users="*"/>
      <allow users="sierra\cblissittekeps"/>
    </authorization>
</system.web>

and

<system.servicemodel>
  <bindings>
    <basicHttpBinding>
      <binding name="ADServiceBinding">
        <security mode="TransportCredentialOnly">
          <transport clientCredentialType="Windows"/>
        </security>
      </binding>
    </basicHttpBinding>
  </bindings>
<system.servicemodel>

Alright! So apparently the steps I took in the original post are not in fact enough. You have to add that aspnetcompatabilityrequirements attribute to the service class (which implements your service iterface), you have to add to the serviceHostingEnvironment tag an aspNetCompatibility attribute:

<serviceHostingEnvironment multipleSiteBindingsEnabled="true"
                           aspNetCompatibilityEnabled="true" />

And, something that no-one seems to mention, the order of your Allow/Deny rules makes a difference. Adding an allow AFTER a Deny All Users means that all users are still denied. Putting it before means that all users are denied except the ones in the allow.