How to disable WCF authentication

Without explicit configuration a WCF service will always try to authenticate the caller. If you don't want this (and you want to avoid faults such as "the caller was not authenticated by the service" or "the request for security token could not be satisfied") you can simply disable WCF security by creating a custom binding with security mode to None. Here's how the system.serviceModel in the web.config should look like:

    <!-- Server Side -->
    <services>
      <service name="Service"
               behaviorConfiguration="ServiceBehavior">
        <endpoint address=""
                  binding="wsHttpBinding"
                  bindingConfiguration="UnsecuredBinding"
                  contract="IService" />
        <endpoint address="mex"
                  binding="mexHttpBinding"
                  contract="IMetadataExchange"/>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="UnsecuredBinding">
          <security mode="None">
            <message establishSecurityContext="false"/>
            <transport clientCredentialType="None"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceBehavior">
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>


Client applications should of course connect with a compatible binding. A standard wsHttp binding will assume security at Message level, so you will bump into a "secure channel cannot be opened because security negotiation with the remote endpoint has failed" fault. Here's how the system.serviceModel in the app.config should look like:

    <!-- Client Side -->
    <bindings>
      <wsHttpBinding>
        <binding name="UnsecuredBinding">
          <security mode="None">
            <message establishSecurityContext="false"/>
            <transport clientCredentialType="None"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://www.dotbay.be/Service.svc"
                binding="wsHttpBinding"
                bindingConfiguration="UnsecuredBinding"
                contract="IService"
                name="UnsecuredBinding">
        <identity>
          <dns value="localhost" />
        </identity>
      </endpoint>
    </client>


By the way, the system.web settings are ignored, so no authentication takes place, even with this setting on the server side:
    <authentication mode="Windows"/>

2 comments:

  1. I have tried this method in order to get my client/server to communicate w/o any type of authentication at all. Unfortunately when i attempted this i received the error below. Any ideas? http://moourl.com/eneko

    ReplyDelete
  2. Thanks, i have many problems because of authentication, this way to disable the authentication help me so much!!! Sorry my bad english, i'm Brazilian...

    ReplyDelete