WCF: Use a custom UserNamePasswordValidationMode without SSL Certificate

Question

For a customer, I've to use WCF to communicate between a client and a server application.

My application was using a WSHttpBinding to communicate, but now, the customer doesn't to install any SSL certificate, because:

• The server is only VPN accessible, so the communication is already encrypted
• Their computer aren't in a domain, so they can't use a domain CA
• The name of the server hasn't a public IP so they can't buy a SSL certificate for this ip

So I started to look how to don't use any SSL certificate, but I got some problems:

I saw that I should use a "TransportCredentialOnly" settings for the security mode, but this settings isn't available for "WsHttpBinding". So I decided to use the basicHttpBinding, which has this option, but it seems that the basicHttpBinding doesn't offer the possibility to use CustomUserNamePasswordValidator.

So how can I do this? Every search result I found are either using a SSL certificate or don't have customUserNameValidator.

Thank you very much for any help.

Answer 1

This is very rare scenario where sending unsecured username and password make sense. You need custom binding for this because default bindings don't allow this. This answer contains two options you can use. Just be aware that first option will allow you to send plain text user name and password over unsecured transport but it will break WSDL generation (that is a bug in WCF).