I'm in the process of adding SSL security with Windows authentication to a formerly unsecured IIS hosted WCF service application. To my surprise, I found that two of the service endpoints were already using a Binding with Transport and Windows security. This is confusing because the client applications consuming this service are not configured to use Transport security or Windows credentials. Here is the service config:
<binding name="LargeBuffer" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
...
<service behaviorConfiguration="WebServices.GCServiceBehavior"
name="WebServices.GCService">
<endpoint address="" binding="basicHttpBinding" name="GCSecuredEndpoint"
bindingName="largeBuffer" contract="WebServices.IGCService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
When I use Visual Studio to generate the client proxy and configuration, it creates this:
<binding name="GCSecuredEndpoint" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
...
<endpoint address="http://devservices.mysite.com/GCService/GCService.svc"
binding="basicHttpBinding" bindingConfiguration="GCSecuredEndpoint"
contract="GCSvc.IGCService" name="GCSecuredEndpoint" />
Notice it's security mode="None" and Transport ClientCredentialType is None instead of Windows. When I call a method on the GCService it succeeds. I would expect it to first complain that I'm trying to access over http instead of https, but it doesn't. Next I would expect it to not authenticate or complain that the client endpoint doesn't match the service in terms of authentication, but it doesn't.
I have another service in the same application that I had just setup with Transport/Windows security just without all the buffer/readquota stuff. For starters, when I generate the client proxy/config in VS for this service, it automatically uses the https address, transport security, and windows authentication. If I manually change it to use None for both, as above, a call to one of the service methods does not succeed, as expected. Why is the GCService above working?