Stop WCF From Adding A Signature To The SOAP Header

Question

I have placed ProtectionLevel = ProtectionLevel.None on the ServiceContract for my WCF client (which calls a SOAP service), but WCF is still adding a signature to the header.

[ServiceContract(ConfigurationName = "IMyOutboundService", ProtectionLevel = ProtectionLevel.None)]

How do I switch off the header signature for this client?

I am using a customBinding with authenticationMode="MutualCertificate" and I have set <textMessageEncoding messageVersion="Soap11WSAddressing10"/>. I can use a different binding, as long as allows this.

Here is the current binding in full:

    <binding name="MyBinding" openTimeout="00:00:10" sendTimeout="00:00:10" >
      <textMessageEncoding messageVersion="Soap11WSAddressing10" />
      <security authenticationMode="MutualCertificate"
                includeTimestamp="true"
                enableUnsecuredResponse="true">
        <localClientSettings timestampValidityDuration="00:15:00"/>
      </security>
      <httpsTransport
        manualAddressing="false" maxBufferPoolSize="524288"
        maxReceivedMessageSize="5242880" allowCookies="false"
        bypassProxyOnLocal="true" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard"
        keepAliveEnabled="true" maxBufferSize="5242880"
        realm="" transferMode="Buffered"  unsafeConnectionNtlmAuthentication="false"
        useDefaultWebProxy="true" requireClientCertificate="true"  />
    </binding>

Answer 1

I have got this one working, the hard way!

    <binding name="MyBinding" openTimeout="00:00:10" sendTimeout="00:00:10" >
      <textMessageEncoding messageVersion="Soap11WSAddressing10" />
      <httpsTransport
        manualAddressing="false" maxBufferPoolSize="524288"
        maxReceivedMessageSize="5242880" allowCookies="false"
        bypassProxyOnLocal="true" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard"
        keepAliveEnabled="true" maxBufferSize="5242880"
        realm="" transferMode="Buffered"  unsafeConnectionNtlmAuthentication="false"
        useDefaultWebProxy="true" requireClientCertificate="true"  />
    </binding>

So by keeping a custom binding, rather than switching to a basic binding (which I did try) you can keep the Soap11WSAddressing10 (i.e. you get all your SOAP headers).

By removing the <security element, you essentially set things to transport-only security. In transport-only mode, no signatures are added.

Sadly, the one thing missing is the timestamp. I cannot find a configuration that will add a timestamp - so I am having to add this manually. This is trivial compared to getting all this other stuff working, so to be honest I'm delighted to do it.