Reputation: 3960
WCF Message Security With Service Certificate Only
I'm new to WCF, and wanted to know if it is possible to do Message Security, where I use a x.509 certificate for the service only, and for client security do windows credentials, is this acceptable, does it work? Tried searching the web, but either no discuss on this approach exists, or I have put the wrong wording in my google search, any help is much appreciated, thank you all.
basically, I'd have this in my binding:
<wsHttpBinding>
<binding name="msgBinding">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
and on my behavior:
<behavior name="wsHttpCertificateBehavior">
...
<serviceCredentials>
<serviceCertificate findValue="MyCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="My" />
</serviceCredentials>
</behavior>
Upvotes: 2
Views: 1313
Answers (2)
Reputation: 3960
Hey thank you for your help Mogounus. My problem is quite complicated, but in short, my requirements are to use certs on the server side, after doing some more research i think i figured it out now. So if I understand it correctly, when using certs on both client/server with message security, the client would sign the message with its private key, then attach its pub key, and encrypt with the server's pub key, only the server would be able to decrypt and thus get the signed message along with the pub key of the client to verify the signed data.
In my case, I had it working, I just needed to verify that the service was using the right stuff to sign/encrypt, but this doesn't seem possible since by the time the message is packaged up, it is already encrypted and i can't see the content.
Another problem I realized while searching for this answer is, not all my clients will be in same domain, so will have to either use user/pwd or certs on the client side.
Upvotes: 0
Reputation: 830
Why are you trying to do this? What are your security requirements?
Are you trying to use a Service Cert to secure the message transfer and then use windows security for the client for authentication and authorization?
Windows security only works if you are on the same domain or have some sort of federated security set up. If you are on the same domain just use windows security for both. If you are not on the same domain then you can't use windows credentials for the client because the server will have no way of validating them. You would either have to use a client certificate that was issued by the certificate authority on your service side or use custom credentials.
If however you are on the same domain but still require a service side cert then you have to specify the serviceCertificate in the service's config file and define an endpoint address with HTTPS, that is if you are hosting as a stand alone service. If you are hosting in IIS then you define the certifice in the IIS website's setup.
You may find this useful Application Deployment Scenarios
Upvotes: 1
Related Questions
- How to avoid the service certificate?
- Secure WCF Service communication by creating certificate
- WCF message security with certificate and both client and service signing
- WCF message security without certificate and windows auth
- WCF - Authenticate the client with Message Security using Certificates
- WCF message / method security without a client certificate
- WCF Message security using certificates -
- How to use Message security and UserName clientCredentialType without Certificate in WCF Service?
- Help needed to secure my WCF service using Certificate
- WCF Message Level Security