WCF security with load balancer

StackOverflow https://stackoverflow.com/questions/18606244

Question

We need to create a WCF service (.NET 4.0) that will be consumed by a client outside of our organization.

The case is that we have two servers that are behind a load balancer which terminates the SSL. This is where it gets confusing for me. How we could and should handle the authentication?

The previous experience about WCF is only about services for internal use. If I understood correctly we should use basicHttpBinding to guarantee interoperability with Java based client. I don't know if this is an issue with JAX-WS based client.

There will only be this one client that is going to use the service.

  • We need to somehow ensure that caller is authenticated to use the system
  • Make sure the message is encrypted when moving in public network

So far the best article that I found was http://devproconnections.com/net-framework/wcf-and-ssl-processing-load-balancers

There were few suggestions how to do this.

WCF services can be configured for basic authentication and receive credentials in the clear over HTTP. This can work; however, it precludes passing credentials in the message, and the use of more interesting credentials (such as issued tokens).

We use forms authentication on our website under which the service will be hosted. I think it is not easy or even possible to make the service then use basic authentication.

WCF services can be configured to fake the presence of transport security so that the runtime will allow receiving message credentials without transport or message protection

Will this be the way to go and will this work with basicHttpBinding?

Was it helpful?

Solution

The client and server binding will be different. The client binding will use username auth in eitehr message or transport level with transport security (ssl):

   <bindings>
        <basicHttpBinding>
            <binding name="NewBinding0">
                <security mode="Message" />
            </binding>
        </basicHttpBinding>
    </bindings>

then the server config will use the same config but without the transport security. If you chose to use message security then check out WCF ClearUsernameBinding. If you use trasnport security (basic http) then set mode="TransportCredentialOnly".

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top