WCF Security RRS feed

  • Question

  • Wondering if someone knows where I'm going wrong.

    I currently have a service set up on my local development machine.  I am attempting to implement security for this service, but every which way I attempt this I seem to have the username and password encrypted but not the actual data encrypted.  I have enabled logging of the service and every time I check the logs, I see no e.cyphervalue in there.  The same goes for wireshark, I can see the data clear text.

    My current setup is using basicHttpBinding and TransportWithMessageCredential over SSL.  I am passing credentials and authenticating via ASP.Net using a localised database.

    I'm not sure where I'm going wrong with this, any help would be much appreciated.

    Monday, June 11, 2012 3:08 PM

All replies

  • since you use transport level security (transport ssl), you will not see the trfafic encrypted since tools like wireshark or fiddler can decrypt ssl. they should indicate that ssl was used though.

    WCF Security, Interoperability And Performance Blog

    Monday, June 11, 2012 4:04 PM
  • What encryption method are you trying to impliment?  The encryption would be negotiated using the headers in the webpages and will default to the mode that is common betwen the client and the server.  If the server doesn't have encryption enabled then the client won't encrypt.  first check the headers on the Server webpage to see what modes it is set for.  You should be able to see in wireshark data the header negotiations.  You may see one more NAK and then another mode accept.

    You may need to review RFC 2295



    Monday, June 11, 2012 4:12 PM
  • I currently have the web.config on the server side setup on SSL and require SSL on the IIS side; I have setup a basic binding with transport with message credentials with encryption TripleDesSha256Rsa15.  Please see the excerpt below...

            <binding name="BasicHttpBindingConfig" messageEncoding="Text">
              <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="None" />
                <message clientCredentialType="UserName" algorithmSuite="TripleDesSha256Rsa15" />

    Any further guidance would be much appreciated.

    Further to this I have found that the issue is not the service but the applicationpoolidentity in IIS.  I'm currently using IIS 7.5 and the only way I can get the service to work is to set IIS to localsystem instead??

    I'm not happy about giving the service elevated privileges, and I'm trying to find an alternative method.

    Hope someone can help me.

    Thanks in advance.

    • Edited by CP Dev Monday, June 18, 2012 10:25 AM Update
    Tuesday, June 12, 2012 8:28 AM