Category Archives: 18171

Fixing a WCF authentication schemes configured on the host (‘IntegratedWindowsAuthentication’) do not allow those configured on the binding ‘BasicHttpBinding’ (‘Anonymous’) error

Whilst testing a WCF web service I got the error

The authentication schemes configured on the host (‘IntegratedWindowsAuthentication’) do not allow those configured on the binding ‘BasicHttpBinding’ (‘Anonymous’). Please ensure that the SecurityMode is set to Transport or TransportCredentialOnly. Additionally, this may be resolved by changing the authentication schemes for this application through the IIS management tool, through the ServiceHost.Authentication.AuthenticationSchemes property, in the application configuration file at the <serviceAuthenticationManager> element, by updating the ClientCredentialType property on the binding, or by adjusting the AuthenticationScheme property on the HttpTransportBindingElement.

Now this sort of made sense as the web services was mean to be secured using Windows Authentication, so the IIS setting was correct, anonymous authentication was off


Turns out the issue was, as you might expect, an incorrect web.config entry

        <binding name=”windowsSecured”> <!—this was the problem –>
          <security mode=”TransportCredentialOnly”>
            <transport clientCredentialType=”Windows” />
      <service behaviorConfiguration=”CTAppBox.WebService.Service1Behavior” name=”CTAppBox.WebService.TfsService”>
        <endpoint address=”” binding=”basicHttpBinding”  contract=”CTAppBox.WebService.ITfsService”>
            <dns value=”localhost”/>
        <endpoint address=”mex” binding=”mexHttpBinding” contract=”IMetadataExchange”/>
        <behavior name=”CTAppBox.WebService.Service1Behavior”>
          <!– To avoid disclosing metadata information, set the value below to false before deployment –>
          <serviceMetadata httpGetEnabled=”true”/>
          <!– To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information –>
          <serviceDebug includeExceptionDetailInFaults=”true”/>

The problem was the basicHttpBinding had a named binding windowsSecured and no non-named default. When the service was bound to the binding it did not use the name binding, just the defaults (which were not shown in the config file).

The solution was to remove the name=”windowsSecured” entry, or we could have added a name to the service binding