I have a set of WCF net.tcp services that support IIS7 that serve my ASP.NET MVC web application. Access to the web application is via the Internet.
WCF Services (IIS7) <--> ASP.NET MVC Application <--> Client Browser
The services are authenticated by user name, the account that the client (my web application) uses to log into the system ends as the current director on the host.
I want one of the services to be authenticated differently because it serves as a view model for my login. When he called, the client was obviously not logged in yet. I believe that Windows authentication is the best, or perhaps just certificate-based protection (which I should also use for authenticated services) if the services are hosted on a computer that is not in the same domain as the web application.
It is not important. Using multiple TCP bindings is what gives me problems. I tried to configure it this way in my client configuration:
<bindings> <netTcpBinding> <binding> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName"/> </security> </binding> <binding name="public"> <security mode="Transport"> <message clientCredentialType="Windows"/> </security> </binding> </netTcpBinding> </bindings> <client> <endpoint contract="Server.IService1" binding="netTcpBinding" address="net.tcp://localhost:8081/Service1.svc"/> <endpoint contract="Server.IService2" binding="netTcpBinding" bindingConfiguration="public" address="net.tcp://localhost:8081/Service2.svc"/> </client>
The server configuration is as follows:
<bindings> <netTcpBinding> <binding portSharingEnabled="true"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName"/> </security> </binding> <binding name="public"> <security mode="Transport"> <message clientCredentialType="Windows"/> </security> </binding> </netTcpBinding> </bindings> <services> <service name="Service1"> <endpoint contract="Server.IService1, Library" binding="netTcpBinding" address=""/> </service> <service name="Service2"> <endpoint contract="Server.IService2, Library" binding="netTcpBinding" bindingConfiguration="public" address=""/> </service> </services> <serviceHostingEnvironment> <serviceActivations> <add relativeAddress="Service1.svc" service="Server.Service1"/> <add relativeAddress="Service2.svc" service="Server.Service2"/> </serviceActivations> </serviceHostingEnvironment>
The fact is that both bindings do not seem to want to live together in my host. When I delete any of them, everything is fine, but together they create the following exception on the client:
The requested update is not supported by "net.tcp: // localhost: 8081 / Service2.svc". This may be due to inconsistent bindings (for example, protection is enabled on the client, not on the server).
In the server trace log I found the following exception:
The protocol type / negotiation application has been sent to a service that does not support this type of update.
Am I looking in the right direction or is there a better way to solve this?
UPDATE
Although this question seems rather old, it still relates to me (and I think to others). I am currently using a magic combination of username and password (because the current main user requires a username) when accessing services that should not be authenticated in the first place. In light of this question, you can see that I prefer a non-authenticated binding specifically for these public services. In this case, the magic account is not insecure, it does not provide any access other than public.