How to secure a WCF Service not hosted in IIS

Question

I have been searching for the correct way to secure a WCF Service which is hosted in a Windows service and in a WPF Desktop application respectively (2 services).

I have tried so many examples and samples and read so may differing ways of doing things that I am now so confused I have no idea what to do.

In a nut shell - here is the scenario...

i have a windows service which allows client applications to connect to it on the corporate lan.

All communications here are behind a corporate firewall. No public facing stuff.

Now - i managed to get everything working fine using basichttpBinding which has Windows Authentication enabled on it.

The problem is that I need to transmit everything securely - not using http.

So - i thought it would be a relatively simple task to simply generate a certificate (doesnt need to be a commercial certificate - just a dev certificate using MakeCert will do) and I can load that certificate from file and secure the traffic with that - oh how wrong was I!! Its not simple from what I have read.

To put things in perspective - there are 100 servers each running a service and this service will be contactable by upward of 500 desktop clients. Each client can be contacted by any one of the 100 servers if required.

Also - the servers are allowed to contact each other if they require it as well - and they regularly do.

Generating 600+ certs and loading them into the certificate repositiory of each machine is not really an option - and can you image the renewals in a year or two ...

What I was hoping to do was to be able to generate a cert file for a server - and one for a client, and distribute the cert file with each instance of the server or client application respectively. When the client or server fires up and opens its WCF Service Host - it would use the certificate in its path to encrypt traffic. I was goign to disable all revocation checking as these would be certificates from untrusted sources - but as i mentioned this was ok.

So far - I have had absolutely no luck finding how to do this - in fact - I am not sure now which is the correct way to do this and if my approach using basichttpbinding was correct.

i have also tried going down the path of net.tcp instead of http - but i could not get visual studio service reference generator to find the service - or if it did it always failed with errors.

Given the scenario I have outlined above - could someone please tell me the correct way to acheive encrypted communications between the server and client (and vice versa). Am I able to make a few small changes to my basicHttpBindings to enable ssl using my single Server or Client certs or am i pushing the proverbial !^&#% uphill?

Any advise would be most welcome or a link to a guide which might suit the scenario that I have described so I can sort this one.

Any help appreciated

Kind regards

Rod.

Answer 1

What are you talking about? You have 100 servers in corporate network with 500 desktops and you don't have internal Certificate authority trusted by all these machines? In the corporate network with Active directory this should be simply easy task because every machine most probably already have its own certificate and if not it can request the certificate from local Active Directory Certificate Authority and it will simply get one without your need to manually manipulate with the certificate. It can also handle certificate renewing. What you only need is assigning that certificate to correct port on each machine by using netsh - I believe this can be automated as well somehow. Questions how to use corporate CA, AD or automate certificate assigning in corporate network belongs to Server Fault.

Talking about security and in the same time distributing the same certificate with private key to 600 machines is nonsense. Any machine will be able to decrypt traffic targeted to any other machine = it is same like sending data in base64 over HTTP and call it security.