locked
How to specify encryption in custom binding for "username" (non-Windows) authentication without X509 certificate? RRS feed

  • Question

  • After much trial-and-error I got the following custom binding for "username" (ie, non-Windows) authentication without an X509 certificate to work.

    But to my surprise, Fiddler2 shows the messages contain the username and password in clear text!   So I changed allowInsecureTransport to false, and then I get binding errors...

    What am I missing?

    Thanks!

    DadCat

     

    <customBinding>
       <binding name="myCustomBindingConfig" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="infinite" sendTimeout="00:01:00" >
          <reliableSession ordered="true" inactivityTimeout="infinite" />
         <security authenticationMode="UserNameOverTransport" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
    allowInsecureTransport="true"/>
        <textMessageEncoding messageVersion="Soap12WSAddressing10">
    <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="163840" maxBytesPerRead="40960" maxNameTableCharCount="163840"/>
    </textMessageEncoding>
    <httpTransport maxBufferSize="2147483647" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647"/>
    </binding>
    </customBinding>

    Thursday, February 2, 2012 5:18 PM

Answers