(Note: this is as much an IIS question as it is a WCF question, so please don't divert or close the post based on me talking about WCF)
Hi,
I'm trying to set up a scenario that uses IIS 7.x URL authorization (running IIS 7.5), but I'm finding it isn't working for a WCF web service. The web service is actually a WCF 4.0 routing service that I'm using in our DMZ as a reverse-proxy for a WCF service in the internal network.
The web service uses Transport secuirty (TLS/SSL) and requires client certificates. SSL and client certificates are required on IIS, and IIS is configured with client certificate mapping. The IIS log shows the client certificate is mapped successfully by the presence of 'domain\user' in the log entry. The WCF service is also configured to require SSL (Transport) and the 'Certificate' credential type, although doesn't perform any authorization of its own.
I'm interested in restricting access to a single AD user account who has authenticated with a client certificate and is mapped to that AD user account. I'm trying to do this with IIS 7 URL Authorization rather than WCF authorization because it makes the security config much more Administrator friendly. What happens is that I can 'Deny' all users the ability to access the WCF service, and the rule is completely ignored. POST messages get right through so long as the user can be authenticated with IIS and the WCF service. I have also verified that IIS URL Authorization is functioning on the server with a standard web site directory with static HTML content.
According to http://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization, IIS URL authorization should apply to 'all conent'. Previously ASP.NET URL Authorization would only apply in specific scenarios when running managed code and when that code is compatible with ASP.NET roles, etc.
IIS URL authorzation is also a 'native' module, which suggests to me that it can't be filtered out by application code.
Does anyone have any experience with getting IIS URL Authorization working with WCF, or can say whether this should work or not. Or can anyone say if there are certain content types for which IIS URL Authorization shouldn't work.
From everything I've read it looks like this should work.... but doesn't
Thanks,
Peter