none
Turning off complete encryption for WCF RRS feed

  • Question

  • I have F5/Big-IP in between client and server where WCF is configured for transport and message encryption. I want to turn off both encryptions so that F5 can do SSL-offloading. However, I need windows credentials with the message. How do I configure WCF?

    Thanks,

    Apastambha


    SP

    Tuesday, July 8, 2014 9:14 AM

Answers

  • Hi,

    By default, all secure WCF bindings will encrypt and sign messages. It can be disabled for “Message Security” by using the “Protection-level settings” which are controlled by the contract.
    It can be specified for all operations in the service contract using “ServiceContractAttribute”
    The following example illustrates disabling encryption for message security.

    [ServiceContract(Name="HelloIndigoContract", Namespace="http://www.example.com/examples", 
    ProtectionLevel=ProtectionLevel.Sign)] public interface IHelloIndigoService { string HelloIndigo(string inputString); }

    For more granular control, you can also indicate message protection per operation using the “OperationContractAttribute”.

    [ServiceContract(Name="HelloIndigoContract",
    Namespace= ”http://www.example.com/examples”] 
    public interface IHelloIndigoService 
    {
     [OperationContract(ProtectionLevel= ProtectionLevel.Sign)]
    string HelloIndigo(string inputString);
    }

    The following are the kinds of Protection Level Options:

    None: Disables message protection

    Sign: Indicates message should be signed but not encrypted

    EncryptAndSign: Provides full message protection and is the default behavior.

    For more information, please try to check the following blog:
    #Understanding Protection Level:
    http://msdn.microsoft.com/en-us/library/aa347692(v=vs.110).aspx .
    http://joginipally.blogspot.in/2008/05/fundamentals-of-wcf-security-part-two_08.html .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Wednesday, July 9, 2014 3:04 AM
    Moderator

All replies

  • Hi,

    By default, all secure WCF bindings will encrypt and sign messages. It can be disabled for “Message Security” by using the “Protection-level settings” which are controlled by the contract.
    It can be specified for all operations in the service contract using “ServiceContractAttribute”
    The following example illustrates disabling encryption for message security.

    [ServiceContract(Name="HelloIndigoContract", Namespace="http://www.example.com/examples", 
    ProtectionLevel=ProtectionLevel.Sign)] public interface IHelloIndigoService { string HelloIndigo(string inputString); }

    For more granular control, you can also indicate message protection per operation using the “OperationContractAttribute”.

    [ServiceContract(Name="HelloIndigoContract",
    Namespace= ”http://www.example.com/examples”] 
    public interface IHelloIndigoService 
    {
     [OperationContract(ProtectionLevel= ProtectionLevel.Sign)]
    string HelloIndigo(string inputString);
    }

    The following are the kinds of Protection Level Options:

    None: Disables message protection

    Sign: Indicates message should be signed but not encrypted

    EncryptAndSign: Provides full message protection and is the default behavior.

    For more information, please try to check the following blog:
    #Understanding Protection Level:
    http://msdn.microsoft.com/en-us/library/aa347692(v=vs.110).aspx .
    http://joginipally.blogspot.in/2008/05/fundamentals-of-wcf-security-part-two_08.html .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Wednesday, July 9, 2014 3:04 AM
    Moderator
  • Thanks for the quick response. On another occasion, if I want to make it interoperable with non-windows web service where transport level encryption has to be turned off, how do I configure WCF?

    Thanks,

    Apastambha


    SP

    Thursday, July 10, 2014 12:10 PM
  • I am wondering that it may turn off the credentials where I need to still send WS-I user or certificate credentials without encryption. The encryption is handled by the infrastructure with HTTPS.


    SP



    • Edited by Apastambha Monday, July 14, 2014 6:32 PM
    Monday, July 14, 2014 6:31 PM
  • Hi,

    If we use a transport binding like the netTcpBinding, then we can also use the ProtectionLevel to turn off encryption, but we can only set it in config file as following:

    <netTcpBinding>
      <binding name="BindingConfiguration">
        <security mode ="Transport" >
          <transport protectionLevel="Sign/None/EncryptAndSign"/>
        </security>
      </binding>
    </netTcpBinding>

    Then for the other bindings like wsHttpBinding or basicHttpBinding, we can not set the ProtectionLevel in the transport mode, then maybe we have to use the following:

    <security mode="Transport">
                <transport clientCredentialType="None"></transport>
        </security>
    For more information, please try to refer to:
    http://blog.adilakhter.com/2009/08/06/wcf-security-wcf-performance-protectionlevel-part-1/ .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.




    Tuesday, July 15, 2014 10:41 AM
    Moderator
  • Thanks for the response Amy.  My requirement is to turn off Encryption completely  with wsHttpBinding, having "username" or "certificate" credentials. Option "None" is turning off security completely and is not sending credentials. Please advise.

    Thanks once again,

    Apastambha


    SP

    Saturday, July 19, 2014 10:20 AM
  • Hi,

    >> My requirement is to turn off Encryption completely with wsHttpBinding, having "username" or "certificate" credentials. Option "None" is turning off security completely and is not sending credentials. Please advise.

    I am sorry for the late reply, then maybe you will need to use the wsHttpBinding with the message security mode, then turn off Encryption as my first reply by using the “Protection-level settings” .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, July 30, 2014 5:58 AM
    Moderator