Reputation:
Do I need to configure wcf with transport security if IIS is setup to negotiate certificates?
Even with all of the documentation available instructing me how to configure WCF to allow certificates over SSL, I'm having a hard time discerning where IIS' responsibilities lie and where the WCF's responsibilities lie.
For example, I do not have authority over my IIS server. I requested the admin to setup my virtual directory (application) to require certificates over ssl. I did this because when I tried to configure this security through my web.config, it told me that IIS wasn't setup to permit this.
After that, another developer told me that because the IIS Admin set it up this way, I only have to set security = none and client auth to none in my web.config because IIS will now handle this for my app.
Is this true? Also, is there documentation explaining the options of configuring IIS and WCF and some type of pipeline showing where these authentication processes occur?
Thank You.
Upvotes: 0
Views: 848
Answers (2)
Reputation: 1918
Well, you definitely need to install a certificate and enable the SSL binding in IIS before anything will work. You must also set 'Security' mode to 'Transport', and 'clientCredentialType' to 'None'. This may be what your developer friend was getting at, though he is wrong to imply WCF doesn't need to do anything if security is setup in IIS.
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
You would then reference this binding in your service endpoint configuration. This page has a pretty clear step-by-step guide on what to do, though you will obviously need access to IIS to set this up.
The basic idea is that certificates are installed and managed by IIS, which also handles authentication. All WCF does is say what kind of security the service will be using/expecting. This page has a good discussion of Transport security over HTTP, as well as links to setting up IIS for this. Hope this helps!
Upvotes: 2
Reputation: 1652
I recently set up a wcf service for an outside company to access our data. The security practices are very hard to configure. I ended up bypassing the certificate and writing a custom auth class that authenticated a username and password in the header. Helpful references I found on my journey.
http://wcfsecurityguide.codeplex.com/releases/view/15892
http://msdn.microsoft.com/en-us/library/aa702565.aspx
I wish I could give you more my situation was not as vital for security so that had a major role in the route I took.
Upvotes: 0
Related Questions
- Is TransportWithMessageCredential without certificate secure enough for a WCF service?
- WCF Service endpoint address uses https, does that mean the transport level authentication is Certificate?
- How do I setup Client and Server Certificates for WCF Transport Security?
- Certificate on a WCF service that does not use IIS
- WCF transport security and https
- Transport Security with Certificate Authentication
- Is SSL for WCF needed when using Transport Security?
- WCF Certificate Configuration with ASP.NET
- Configuring WCF Transport security for IIS6 over SSL
- can I have a WCF binding that goes through SSL (using https) with transport security set to none?