Accessing WCF Service using TCP from the DMZ (not on network or domain)

Question

We have a DMZ where we host an IIS website which in turn communicates to our "app" server (also IIS) WCF services using TCP.

When we are on the domain and in the network this works fine. When we try to access the services from the DMZ we get a "cannot handle anonymous" user exception. Accessing the app server directly works fine.

Any suggestions on the best way to configure the security between the DMZ and the app server?

Thanks.

KJQ

Answer 1

netTcpBinding default to using Windows credentials so a different AD domain will not work. In a case like this using a mutual certificate is good option to validate between the DMZ and the actual service.