none
Secure message without certificate on client side RRS feed

  • Question

  • Hi;

    I have a self hosted wcf service and an ASP.NET application as a client.
    The idea here is have secure messages between service and client without install a certificate on the client side.
    So, on the service configuration file i have:

          <service name="MyCompany.Services.CustomerService"
                   behaviorConfiguration="InternetServiceBehavior" >       
            <endpoint name="wsHttpBindingFTP" address="cs" binding="wsHttpBinding"
                      bindingConfiguration="InternetBindingConfiguration"
                      contract="MyCompany.Services.ICustomerService"  />
    

    <host> <baseAddresses> <add baseAddress="http://localhost:8085/" /> </baseAddresses> </host> </service> <bindings> <wsHttpBinding> <binding name="InternetBindingConfiguration"> <security mode="Message"> <message clientCredentialType="UserName"/> </security> </binding> </wsHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="InternetServiceBehavior"> <serviceCredentials > <serviceCertificate findValue="mycompany.com" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My" /> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyCompany.Services.UserValidator, MyCompany.Services.Tools"/> </serviceCredentials> <serviceAuthorization principalPermissionMode="None" /> <serviceMetadata/> <serviceDebug includeExceptionDetailInFaults="true"/> </behavior> </serviceBehaviors> </behaviors>


    And here is how i pass the username and password on the client side:

     Dim acc As New MyServiceReference.CustomerAccount
     Dim myClient As New MyServiceReference.MyServiceClient("wsHttpBindingFTP")
            
     myClient.ClientCredentials.UserName.UserName = "MyUsername"
     myClient.ClientCredentials.UserName.Password = "MyPassword"
     acc = myClient.GetAccountByName("john")
    
    


    Is it enough to establish a secure communication between client and service?
    I need the messages to be secure but also, I need it simple because some clients will be deployed on machines that we don't have access to install certificates.
    I was also trying to avoid certificate on the service side as well but I believe it's not possible.

    One more thing: is there a way i can "watch" the raw xml messages sent and received by the service to make sure they are encrypted?
    Thanks in advance.

    • Edited by CodeMaster2008 Friday, August 28, 2009 1:33 PM format code
    Friday, August 28, 2009 1:27 PM

Answers

  • Hi CodeMaster,

    Yes, netTcp is not quite good for bypass firewall over internet.

    As for the certificate configuration at client-side when you use usernameAuthentication at message layer, it is actually a certificate which contains the public key info of the service certificate. Generally, if the client can install such a public key only certificate, you can just use <certificateReference> to identify that certificate. However, WCF provide another means for you to specify such service certificate identity, that is use an encodedValue in a <identity> element(for an endpoint)

    <identity>
      <certificate encodedValue="...." />
    </identity>
    And when you use visual studio(add Servicereference) to generate the client proxy, such an identity(with encodedValue of service certificate will be automatically generated for you). That can release you from adding the certificate into client machine's certificate store.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    • Marked as answer by CodeMaster2008 Friday, September 4, 2009 3:54 PM
    Friday, September 4, 2009 3:43 AM
    Moderator

All replies

  • Hi,

    Your code and service configuration is ok.... however, you still require a client certificate to be installed in the machine where the ASP.NET application is hosted.
    If not, you won't be able to communicate with the service.

    Doing that will be enough to support authentication, authorization, confidentiality and integrity in your client-service communication.
    To see the messages you may use some tool like Fiddler.

    Regards,
    Rodrigo.
    Friday, August 28, 2009 2:00 PM
  • So, the only way out would be using transport level security (ssl)?
    Because we don't have control over the client machines.
    What we are trying to acomplish here is an API that can be accessed  by ASP.NET applications deployed on shared hosting but we don't want to send the credentials and messages as plain text.
    Friday, August 28, 2009 5:28 PM
  • Yes, the alternative would be SSL in this case.... however, remember that SSL provides point-to-point security, so I'm not sure it is even possible in your scenario.

    Regards,
    Rodrigo.

    Friday, August 28, 2009 5:37 PM
  • Hi CodeMaster,

    I agree that transport security over https will help for your case where client-side certificate insallation is not possible.

    Also, since you're using self-hosting for the service, then is it possible for you to use netTcpbinding instead? If so, you can configure netTcpbinding to support transport layer security quitely conveniently.

    #How to: Use netTcpBinding with Windows Authentication and Transport Security in WCF Calling from Windows Forms
    http://msdn.microsoft.com/en-us/library/cc949091.aspx
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Wednesday, September 2, 2009 4:30 AM
    Moderator
  • Hi CodeMaster,

       There only one situation that you need not to create certificate.
       and you can make data encrypted automaticly.
     
      you client and WCF service using  Windows Authentication  with netTcpBinding .
       no matter transport or message security model.
     
      Regards
    Frank Xu Lei--谦卑若愚,好学若饥
    专注于.NET平台下分布式应用系统开发和企业应用系统集成
    Focus on Distributed Applications Development and EAI based on .NET
    欢迎访问老徐的中文技术博客:Welcome to My Chinese Technical Blog
    欢迎访问微软WCF中文技术论坛:Welcome to Microsoft Chinese WCF Forum
    欢迎访问微软WCF英文技术论坛:Welcome to Microsoft English WCF Forum
    Wednesday, September 2, 2009 10:34 AM
  • Hi Frank;

    Thanks for the tip. really helpful.
    I just read (don't remember where) netTcpBinding is not a good choice to connect to machines outside the firewall (internet).

    Regarding to rfreire post, he said i need certificates on both sides, server and client to get the message encrypted.
    I did a test with a certificate on the server side only and the messages look encrypted to me. Is that because I'm running client and server on the same machine (test enviroment)? Or it really works like that - with a certificate on the server side only and just the public key on the client config?
    Wednesday, September 2, 2009 3:35 PM
  • Hi CodeMaster,
       1.Yes, if you want to expose your WCF service on internet,you can not use netTcpBinding .
        you can try other  binding like WSHttpBinding.
        it supports ws-security spefications.
       2.for Message Security.there are server case for client creandetial.
         when you set client creandetial as certificate,you need create a certificate for the client.
         others you need not.
       
        But ,at least you should make a certificate for server.

    regards
    Frank Xu Lei--谦卑若愚,好学若饥
    专注于.NET平台下分布式应用系统开发和企业应用系统集成
    Focus on Distributed Applications Development and EAI based on .NET
    欢迎访问老徐的中文技术博客:Welcome to My Chinese Technical Blog
    欢迎访问微软WCF中文技术论坛:Welcome to Microsoft Chinese WCF Forum
    欢迎访问微软WCF英文技术论坛:Welcome to Microsoft English WCF Forum
    Thursday, September 3, 2009 5:28 AM
  • Hi CodeMaster,

    Yes, netTcp is not quite good for bypass firewall over internet.

    As for the certificate configuration at client-side when you use usernameAuthentication at message layer, it is actually a certificate which contains the public key info of the service certificate. Generally, if the client can install such a public key only certificate, you can just use <certificateReference> to identify that certificate. However, WCF provide another means for you to specify such service certificate identity, that is use an encodedValue in a <identity> element(for an endpoint)

    <identity>
      <certificate encodedValue="...." />
    </identity>
    And when you use visual studio(add Servicereference) to generate the client proxy, such an identity(with encodedValue of service certificate will be automatically generated for you). That can release you from adding the certificate into client machine's certificate store.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    • Marked as answer by CodeMaster2008 Friday, September 4, 2009 3:54 PM
    Friday, September 4, 2009 3:43 AM
    Moderator
  • As for the certificate configuration at client-side when you use usernameAuthentication at message layer, it is actually a certificate which contains the public key info of the service certificate [...] And when you use visual studio(add Servicereference) to generate the client proxy, such an identity(with encodedValue of service certificate will be automatically generated for you). That can release you from adding the certificate into client machine's certificate store.
    Now i finally got it.
    Thanks a lot guys. Very helpful.
    Friday, September 4, 2009 3:53 PM