I have been googling everywhere I can possibly find (including here on Stackoverflow) to figure out an error I've got trying to deploy a WCF service to IIS 7.5 on Windows 7 x64 that runs only over SSL with basic HTTP authentication. I've got a site in IIS which has a binding to port 50443 for HTTPS with a self-signed cert. (I can't use the standard port 443, as we plan on deploying this to IIS on a server which is already running Tomcat which is listening on 80 and 443.)

This is the web.config:

<configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.0" />
  </system.web>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <bindings>
      <basicHttpBinding>
        <binding name="SSLBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Basic"/>
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="HelloWorldWcf.HelloWorldWcfService">
        <endpoint name="HelloWorldWcf.HelloWorldWcfService" 
                  address="https://mylaptop:50443/HelloWorld/Service1.svc" 
                  binding="basicHttpBinding" 
                  bindingConfiguration="SSLBinding" 
                  contract="HelloWorldWcf.IHelloWorldWcfService"/>
        <endpoint address="https://mylaptop:50443/HelloWorld/Service1.svc/mex" 
                  binding="mexHttpsBinding" 
                  contract="IMetadataExchange"/>
      </service>
    </services>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
</configuration>

If I browse to the service endpoint address and enter the basic authentication credentials manually, I get the following exception error message displayed in my browser:

The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: context.ListenUriBaseAddress

This is the same error I got trying to run a WCF client against a similar service, except that it ends with "Parameter name: via" (because the parameter name of the method that shows up in the call stack, "System.ServiceModel.Channels.TransportChannelFactory`1.ValidateScheme(URI via)", is in fact "via").

I've tweaked the server and client config files so many times I've lost track, but the web.config file above is my best guess so far--and it doesn't even work from a browser, much less a WCF client.

What do I need to do to access a WCF service hosted in IIS 7.5 on a nonstandard SSL port with basic HTTP authentication over HTTPS? Help! (& Thanks!)

try add this to binding

<security mode="Transport"> 
    <transport clientCredentialType="None" proxyCredentialType="None" realm=""/> 
    <message clientCredentialType="Certificate" algorithmSuite="Default" />
</security> 

Arrrrgh! Okay, the remaining steps to get it to work:

1. Replace my <security> node in the web.config with burning_LEGION's.

2. Eliminate the "mex" endpoint from the web.config. (This allowed me to get to the usual "You have created a service" friendly web page in my browser.)

3. Escaped the backslash in the "DOMAIN\username" string I was assigning to HelloWorldWcfServiceClient.ClientCredentials.UserName.UserName in the client C# code. (Did I say "arrrrgh!"? Man, is my face red.) This eliminated the error I got after steps 1 and 2:

System.ServiceModel.Security.MessageSecurityException: "The HTTP request is unauthorized with client authentication scheme 'Basic'. The authentication header received from the server was 'Basic realm="mylaptop"'.---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.

I got the idea for step 2 from here which made me think mex was unhappy with HTTPS, and for step 3 from here where I noticed the user name was @"domain\username", not "domain\username".

+1 to burning_LEGION for the assist!

So, the unanswered questions: (1) why does the security/message node have any effect on a configuration that doesn't use message security (only transport security)? (2) what's the point of the mex endpoint if it just interferes with normal operation? (3) If mode="TransportCredentialOnly" doesn't work with HTTPS, why don't I get an error indicating this?