none
netMsmqBinding with transport security in WCF RRS feed

  • Question

  • Are below two security configurations equivalent for netMsmqBinding in WCF? If not, what is the difference?

    1. <security mode="None"></security>
    2. <security mode="Transport">
      <transport msmqAuthenticationMode="None" msmqProtectionLevel="None" />
      </security>

    Is message encrypted in transmission when second option is used and service is hosted in IIS with SSL?

    Sunday, December 11, 2016 2:39 PM

Answers

  • Hi Krishna,

    Thanks for more information.

    Could you share us which book mentioned that? After checking depth, it seems ProtectionLevel for msmq is a little different.

    Based on Understanding Protection Level, it said when the security mode is set to Transport, the entire message is protected by the transport mechanism. Therefore, setting a separate protection level for different parts of a message has no effect.

    Based on Source code of MsmqTransportSecurity, the Enabled property depends on MsmqAuthenticationMode and msmqProtectionLevel, I have something wrong in my original post. For these two options, both of them will return False for Enabled of MsmqTransportSecurity.

    Based on Source code of NetMsmqSecurity, NetMsmqSecurity will return mode as UnifiedSecurityMode.None | UnifiedSecurityMode.Message if msmq.MsmqTransportSecurity.Enabled is false, so the Transport Security will be None.

    In conclusion, these options are the same.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Krishna Enugu Thursday, December 15, 2016 8:11 PM
    Thursday, December 15, 2016 3:35 AM

All replies

  • Hi Krishna,

    >> Are below two security configurations equivalent for netMsmqBinding in WCF? If not, what is the difference?

    They are different. There is no security for first Option. Transport security is for second option, it does not provide any client authentication and does not need to sign the data. You need to enable SSL for second option.

    >> Is message encrypted in transmission when second option is used and service is hosted in IIS with SSL?

    Yes, it is encrypted. When sending queued messages using WCF with NetMsmqBinding, the WCF message is attached as a body of the MSMQ message. Transport security secures the entire MSMQ message (MSMQ message headers or properties and the message body). Because it is the body of the MSMQ message, using transport security also secures the WCF message. If you set None for msmqAuthenticationMode and msmqProtectionLevel, the WCF message will not contain authentication and not signed, but the MSMQ message is secured.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, December 12, 2016 6:22 AM
  • Thank you for your response. I have one more question regarding second option.

    When we use second option and SSL is enabled, does it matter what direct format name we are using so that message is encrypted in transmission.

    If possible can you please share diagrammatic illustration of how MSMQ message being sent from client to server when we use second option with direct format name as OS and MSMQ server is different than server hosting WCF service with SSL. It would be great if you can illustrate how message is transmitted between client, transmission queue, target queue, wcf service and from where to where message is encrypted similar to below illustration in MSDN.

    https://i-msdn.sec.s-msft.com/dynimg/IC107436.jpeg

    Tuesday, December 13, 2016 7:26 PM
  • Hi Krishna,

    As my understanding, Direct Format name is used to address MSMQ queues. We provide WCF URI-based queue address, and the queued channel handles mapping the net.msmq URI name provided to the channel to MSMQ format names. I think it would not affect the encrypted, it is the Address for WCF Service.

    #Mapping net.msmq URI to Message Queuing Format Names

    https://msdn.microsoft.com/en-us/library/ms789025(v=vs.110).aspx

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, December 14, 2016 6:46 AM
  • Hi Edward,

    Thanks again for your response. I am still confused how message is encrypted from transmission queue to target queue when msmqProtectionLevel="None" and service is hosted in IIS with SSL.

    In one of the WCF book it is mentioned that protection level is master switch for transport protection and when it is set to "None", WCF does not protect the message on transfer from the client to the service. Any malicious party can read the content of the message, or even alter it.

    And also one more thing when we add service reference using visual studio security mode in client config file is configured as None. Why config file generated by visual studio in the client is not matching the service config file?

    Wednesday, December 14, 2016 6:50 PM
  • Hi Krishna,

    Thanks for more information.

    Could you share us which book mentioned that? After checking depth, it seems ProtectionLevel for msmq is a little different.

    Based on Understanding Protection Level, it said when the security mode is set to Transport, the entire message is protected by the transport mechanism. Therefore, setting a separate protection level for different parts of a message has no effect.

    Based on Source code of MsmqTransportSecurity, the Enabled property depends on MsmqAuthenticationMode and msmqProtectionLevel, I have something wrong in my original post. For these two options, both of them will return False for Enabled of MsmqTransportSecurity.

    Based on Source code of NetMsmqSecurity, NetMsmqSecurity will return mode as UnifiedSecurityMode.None | UnifiedSecurityMode.Message if msmq.MsmqTransportSecurity.Enabled is false, so the Transport Security will be None.

    In conclusion, these options are the same.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Krishna Enugu Thursday, December 15, 2016 8:11 PM
    Thursday, December 15, 2016 3:35 AM
  • Hi Edward,

    It was mentioned in Programming WCF Services book by Juval Lowy (Chapter 10: Security, Page No. 536)

    Monday, January 16, 2017 4:12 PM