I maintain a program that sends messages between users. The clients connect to a WCF-service that is hosted in IIS 7.0 on my domainserver. Up to now I successfully used basicHttpBinding for this, without any configuration. Now, I want to change to wsHttpBinding because this should encrypt the transport of the messages. The server has a certificate installed, but I did nothing to make this work with the WCF service. I did not configure any options for the wsHttpBinding either.

Now, when I connect to the WCF-service from any client that is within the domain that is governed by the same server that hosts the WCF-service all is well. But when I try to connect to the service from a client outside the domain the connection fails. The client gets an exception stating that “the caller was not authenticated by the service”. So it must be an authentication problem.

How do I troubleshoot this? A pointer to some helpful resources about this subject is very welcome too.

EDIT:
So here is how I got it working. Hopefully it will save some of you a headache…

The problem was as follows:

• IIS hosted two websites: mydomain.com and http://www.mydomain.com
• I wanted to host the WCF service on http://www.mydomain.com as I had purchased a certificate for that URL.
• WCF threw the error ‘This collection already contains an address with scheme http. There can be at most one address per scheme in this collection.’ at me.
• you have to solve this by adding a baseAddressPrefixFilter
• I wanted just transport security, no User Authentication
• After I solved that one I got an error stating that: ‘The provided URI scheme ‘https’ is invalid; expected ‘http’
• This error is generated by the client, not by the server.

Here is the web.config that did the trick:

<system.serviceModel>
     <serviceHostingEnvironment>
        <baseAddressPrefixFilters>
          <add prefix="http://www.mydomain.com"/>
        </baseAddressPrefixFilters>
     </serviceHostingEnvironment>

    <services>
      <service behaviorConfiguration="ServiceBehavior" name="MyApp.MyService">
        <endpoint address="mex"
                  binding="mexHttpsBinding"
          contract="IMetadataExchange"
           />
    <endpoint address="wsHttp"
          binding="wsHttpBinding"
                  bindingConfiguration="NoAuthentication"
                  contract="MyApp.IContract"/>
      </service>
    </services>
    <bindings>
    <wsHttpBinding>
        <binding name="NoAuthentication">
         <security mode="Transport">
            <transport clientCredentialType="None"/>
          </security>
        </binding>
    </wsHttpBinding>
   </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceBehavior">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpsGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

Last, but very important: I had to tell the client that it should use the transportsecurity mode too, as I did not create the client with svcutil.

 public static IContract GetContract()
        {
            var binding = new WSHttpBinding(SecurityMode.Transport) {MaxReceivedMessageSize = 655350};
            var factory = new ChannelFactory<IContract>(
                          binding,
                          new EndpointAddress(@"https://www.mydomain.com/MyService.svc/wsHttp"));
            return factory.CreateChannel();
        }