WCF Message security and Transport security Authentication Question RRS feed

  • Question

  • I am doing some researches on the authentication and the performance on WCF.

    As I have read from msdn, WCF message security can create security session such that once client application authenticate with server, it can get the security context token and secure the sub sequence message  using this token.

    1) Does it mean that as long as the security session not recycled or expired in server, no account validation process (i.e. query AD to check account validness in windows authentication)  will be performed for the subsequence calls from client application?

    For WCF Transport security, it seems that there is no security session could be created.

    2) Does it mean that account validation process (i.e. query AD to check account validness in windows authentication)  will be performed for every call to the WCF service using Transport Security from client application? Will it create authentication token which is something like the token in ASP.net form authentication such that it is not necessary to perform account validation process for each call?

    In MSDN, it stated that using Transport security could have better performance than Message security. 

    3) if Message security use security session, does the above statement still correct?

    4) if I set the security mode to TransportWithMessageCredential with the following config 

      <binding name="myTcpBinding">
        <security mode="TransportWithMessageCredential" >
           <transport clientCredentialType="Windows" />
           <message clientCredentialType="Certificate" />

    Does it mean that it authenticate twice? one in transport and one in message? Also dose the authentication is done for every call to the WCF service? Would it get great performance impact when using this type of authentication in intranet WCF service?

    Thank you

    Monday, March 31, 2014 3:58 AM


  • Hi,

    For the question1:
    When the system-provided bindings are configured to use message security, WCF automatically uses secure sessions.
    When a secure session is established, the client and the service cache the key that is associated with the secure session. As the messages are exchanged, only an identifier to the cached key is exchanged. If the Web server is recycled, the cache is also recycled, such that the Web server cannot retrieve the cached key for the identifier. If this happens, an exception is thrown back to the client. Secure sessions that use a stateful security context token (SCT) can survive a Web server being recycled. For more information about using a stateful SCT in a secure session, please see How to: Create a Security Context Token for a Secure Session .

    For the question2:
    When use the Windows authentication, the client will use a token that represents the identity of the logged-in user.
    Transport-level security is faster than message-level security, because message-level security encrypts and signs every message. However, transport-level security is protocol-dependent and has limited security support. Message-level security, while slower, provides end-to-end security.

    For the question3:
    I am not sure what you mean. But as my first reply said in the question1, when the system-provided bindings are configured to use message security, WCF automatically uses secure sessions.

    For the question4:
    When the transportWithMessageCredential security mode is configured, the transport security is used to provide confidentiality and integrity for the transmitted messages and to perform the service authentication. However, the client authentication is performed by putting the client credential directly in the message. This allows you to use any credential type that is supported by the message security mode for the client authentication while keeping the performance benefit of transport security mode.
    In one words is that client authentication is provided at the message level, and message protection and service authentication are provided at the transport level.

    Best Regards,
    Amy Peng

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, April 1, 2014 6:31 AM