none
WCF security with confidentiality using certificates and windows authentication RRS feed

  • Question

  • Hi,

    I have a requirement for WCF security, where i need confidentiality using the certificates and authentication using windows authentication. Window authentication will help me with authorisation against configured user groups. I m using NetTCP binding.

    At client side i don't want to supply any certificate instead it should be picked from local m/c trusted root.

    Also i m finding WCF security on msdn has lack of essential documentation.

    Please help, Thanks in advance.

    Regards,

    Rahul

    Monday, November 27, 2017 9:12 AM

All replies

  • Hi Rahul,

    Based on your requirement, Windows is used for Authenticaiton. Do you want to secure the Transport by the certificate or secure the Message by the certificate?

    If you need Windows Authenticaiton and Transport Security, you could refer link below:

    # How to: Use netTcpBinding with Windows Authentication and Transport Security in WCF Calling from Windows Forms

    https://msdn.microsoft.com/en-us/library/ff647180.aspx?f=255&MSPPError=-2147217396

    If you need Windows Authentication and Message Security, you could refer link below:

    # How to: Use netTcpBinding with Windows Authentication and Message Security in WCF Calling from Windows Forms

    https://msdn.microsoft.com/en-us/library/ff648534.aspx

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, November 28, 2017 5:51 AM
  • Hi Tao Zhou,

    Thanks for your response, As per my requirement as mentioned,

    >>At client side i don't want to supply any certificate instead it should be picked from local m/c trusted root.

    I don't have certificate information to supply at client side and idea is that at client side WCF should pick from trusted root without any specifying explicitly.

    Just for your reference, if you put and try out yourself
    At server side: 

    serviceHost.Credentials.ServiceCertificate.SetCertificate(certificate)

      binding.Security = new NetTcpSecurity {
                    Mode = SecurityMode.Transport,
                    Transport = { ClientCredentialType = TcpClientCredentialType.None}
                };

    and at client side: 

    Do not provide any certificate then WCF with similar binding, WCF will pick from trust root.

    Same behaviour i want but i want my authorisation logic should work since we made TcpClientCredentialType.None there will be no information passed to the server that's the reason windows authorisation is not working.

    Thats y i mentioned and it must be handled in transport layer itself.

     >> i need confidentiality using the certificates and authentication using windows authentication

    Hope my requirement is clear this time in case other details required please let me know.

    Thanks in advance.

    Regards,

    Rahul


    Wednesday, November 29, 2017 1:53 PM
  • Hi Rahul,

    Why did you change ClientCredentialType from Windows to None? If you need Windows Authentication, you should use Windows option instead of None.

    For the first link from my above reply, it will enable Windows Authentication, and for certificate, it will follow HTTPS Transport security process to secure your message by Transport.

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, November 30, 2017 2:26 AM
  • Hi Tao Zhou,

    Thanks for you response, As i mentioned, 

    R>>Do not provide any certificate then WCF with similar binding, WCF will pick from trust root.

    I m using netTCP binding, I want the WCF at client side to pick the certificate from trusted root store without explicitly supplying the certificate details. Similar to the other web framework where you just attach the certificate to the port of server and start the https based communication and client certificate just needs to be there in client side trusted root certificate store. My motive of this activity is to align netTCF with the other areas of applications which are non WCF.

    To Achieve the same 

    Mentioned changes work but authorisation doesn't  

    R>>

    At server side: 

    serviceHost.Credentials.ServiceCertificate.SetCertificate(certificate)

      binding.Security = new NetTcpSecurity {
                    Mode = SecurityMode.Transport,
                    Transport = { ClientCredentialType = TcpClientCredentialType.None}
                };

    and at client side: 

    Do not provide any certificate then WCF with similar binding, WCF will pick from trust root.

    <<

    T>> Why did you change ClientCredentialType from Windows to None? If you need Windows Authentication, you should use Windows option instead of None.

    If i make this to windows then the certificate check gets ignored in WCF , code will work and get response from server without the presence of certificate in trusted root at client side.

    Please let me know if more details required. 

    Thanks in advance.

    Regards,

    Rahul


    Thursday, November 30, 2017 5:44 AM
  • Again, what do you want?

    Pick one of these:

    A) The Client authenticates using WindowsAuthentication and the Connection is secured with a Certificate (SSL).

    B) The Client authenticates using WindowsAuthentication while at the same time authenticates using a Certificate.

    Method A) is fairly easy, there does not need to be any Certificate to be picked up at the Client, the SSL handshake will take care of the MessageEncryption.

    Method B) cannot be achieved with the default Bindings, you need to provide your own Binding in such a case. Been a while since i done that, but this post (how i got there) should help in that regard.


    Please be so kind to close your Threads when you found an answer, these Threads should help everyone with similar issues.
    You can close a Thread via the"Mark as Answer" link below posts. You can mark your own posts as answers if you were not helped out but found a solution, in such a case, please provide the answer.
    Happy coding
    PS: I assure everyone that I did not ever had the desire to offend anyone.


    • Edited by MDeero Thursday, November 30, 2017 10:30 AM
    Thursday, November 30, 2017 10:26 AM