WCF and wsHttpBinding - Message encryption

StackOverflow https://stackoverflow.com/questions/17643246

  •  03-06-2022
  •  | 
  •  

Question

I'm working on a client-server project implemented using WCF. The clients are deployed on different machines and communicate with services through the internet. I'm relatively new to WCF, and am a bit confused on choosing the appropriate binding for my Web services. The clients need to be authorized to perform operations, however, I'm implementing my own authentication algorithm and trying to avoid Windows authentication for various reasons, but I still need to make sure the message transferred in the channel is encrypted.

Right now I'm using wsHttpBinding with security mode set to Message. Full configuration looks like this:

enter image description here

I've set the authentication type in IIS to Anonymous Authentication to make sure the requests are passed through, and was expecting a service call to fail since MessageClientCredentialType in my binding is explicitly set to Windows. However, when I run the code, the service successfully gets called and returns the expected values. I have a feeling that I'm missing something - why is the call authorized? Can I make sure the message is still encrypted even though authentication type is set to Anonymous? Any help is appreciated.

Edit

To clarify on this, I tested the service with a client deployed to a machine outside the network on a different domain.

Was it helpful?

Solution

This MSDN article kind of sums up a lot of security issues relevant to WCF

http://msdn.microsoft.com/en-us/library/ms733836.aspx

regarding your specific situation, the negotiateServiceCredential="true" means that you streamline certificate distribution to your clients for message encryption.

This option will only work with windows clients and has some performance problems. read more here http://msdn.microsoft.com/en-us/library/ff647344.aspx search the topic "streamline certificate distribution" in this page.

OTHER TIPS

Which account do you use to make the call to the service? Allowing anonymous in IIS lets your request pass through to the service and service should authenticate if your caller has credentials that windows understands (Active directory/NTLM). In your case, I think you are testing it in your own environment so service responds. Once you deploy it over internet, I doubt your service will allow anybody outside of your domain if you keep clientcredentialtype to windows. Check these link for securing services on the Internet - http://msdn.microsoft.com/en-us/library/ms734769.aspx http://msdn.microsoft.com/en-us/library/ms732391.aspx

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top