WCF REST Services on IIS7

If you're using everything below:

  • A .svc file for activation, hosted locally (not over UNC) with or without fixed credentails
  • Windows Authentication

You will fall under the "NTFS ACL-based Authorization" rules in this document (http://technet.microsoft.com/en-us/library/dd163543.aspx). If that is the case and you are developing a REST service, you will probably experience an Access Denied error the first time you try and PUT a new object (assuming your application doesn't have write access to its own code).

The NTFS ACL-based authorization is built in to the core of IIS 7 so there is no way to disable it, except for breaking one of the conditions that triggers it. The solution for me was to eliminate the physical file that my service was mapping to (ie my ServiceName.svc file). This is possible due to a new feature in .Net 4.0 called Configuration-Based Activation (CBA).

You can read a little bit about CBA and see the basic configuration here: http://blogs.msdn.com/b/rampo/archive/2009/10/27/activation-without-svc-files-config-based-activation-cba.aspx

This site has a full example of a service along with the full configuration: http://geekswithblogs.net/michelotti/archive/2010/08/21/restful-wcf-services-with-no-svc-file-and-no-config.aspx

Neither of these sites was enough to get my service working though. I had a service that was telling me it could not work with Windows authentication turned on and that I needed to enable Anonymous. The bit that I was missing from my config was this:

        <security mode="TransportCredentialOnly">
          <transport clientCredentialType="Windows" />

Which I found here: http://blogs.msdn.com/b/drnick/archive/2007/03/23/preventing-anonymous-access.aspx

At this point, I stopped getting errors, but my service only returned blank pages, not any data. The last piece was to configure my service activation element with the System.ServiceModel.Activation.WebServiceHostFactory like this:

  <serviceHostingEnvironment aspNetCompatibilityEnabled="true">
          service="Namespace.ServiceClass" />

comments powered by Disqus