locked
Username / Password Validation Without Certificates RRS feed

  • Question

  • I am using UsernamePasswordValidation with SecureConversation. Unfortunately, the only way I've been able to get this working is with the UserNameForCertificate authentication mode. But, I've hit a brick wall with certificates. Certificates are fine in an ASP scenario because I can install the same certificate on both machines (the ASP machine, and the WCF machine). However, I am now moving to smart clients using WPF which are essentially desktop apps. I need to ditch the certificate so that any desktop app anywhere can talk to my WCF services. How can I continue using username validation with secure conversation without a certificate?
     
    Here is my server side config file:

      <system.serviceModel> 
        <!-- SERVICES --> 
        <services> 
          <!-- AssetValuationService --> 
          <service name="Adapt.WCF.AssetValuation.AssetValuationService" behaviorConfiguration="Adapt.WCF.SecureServiceBehavior">  
            <host> 
              <baseAddresses> 
                <add baseAddress="http://localhost:8731/AssetValuationService/" /> 
              </baseAddresses> 
            </host> 
            <!-- Service Endpoint --> 
            <endpoint address="" binding="customBinding" contract="Adapt.WCF.AssetValuation.AssetValuationService" bindingName="testBinding" bindingConfiguration="testBinding" name="http">  
              <identity> 
                <dns value="localhost" /> 
              </identity> 
            </endpoint> 
            <!-- Metadata Endpoint --> 
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> 
          </service> 
        </services> 
        <!-- BEHAVIOURS --> 
        <behaviors> 
          <!-- This is the standard behaviour for all services --> 
          <serviceBehaviors> 
            <behavior name="Adapt.WCF.SecureServiceBehavior">            
              <!-- Set to false after deployment for better performance --> 
              <serviceDebug includeExceptionDetailInFaults="True" /> 
              <!-- Set to false after deployment so that people can not inspect metadata --> 
              <serviceMetadata httpGetEnabled="True" /> 
              <serviceCredentials> 
                <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Adapt.WCF.Security.CustomUserNameValidator, Adapt.WCF" /> 
                <serviceCertificate findValue="localhost" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> 
              </serviceCredentials> 
            </behavior> 
          </serviceBehaviors> 
        </behaviors> 
        <!-- BINDINGS --> 
        <bindings> 
          <!--This is the standard binding for all endpoints except metadata endpoints. This binding supports  
              UserNameForCertificate authentication. --> 
          <customBinding> 
            <binding name="testBinding">  
              <!--<reliableSession ordered="true" maxRetryCount="1"  />--> 
              <security authenticationMode="SecureConversation" requireSecurityContextCancellation="true" > 
                <secureConversationBootstrap  authenticationMode="UserNameForCertificate"></secureConversationBootstrap> </security> 
              <textMessageEncoding> 
                <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" /> 
              </textMessageEncoding> 
              <httpTransport transferMode="Buffered" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" /> 
            </binding> 
            <binding name="metadataBinding">  
              <textMessageEncoding> 
                <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" /> 
              </textMessageEncoding> 
              <httpTransport transferMode="Buffered" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" /> 
            </binding> 
          </customBinding> 
        </bindings> 
      </system.serviceModel> 
    Monday, February 9, 2009 10:53 PM

Answers

  • Some kind of certificate must be used in order for the communication to be secured.

    You have two options:

    - Using usernameOverTransport (transport security) 
    - Using usernameForSslNegotiated. Here a certificate is also used but the client does not need to get it out of band since it gets it from the server online once the communication starts (this is like negotiateServiceCretential=true).

    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    Tuesday, February 10, 2009 10:59 AM

All replies

  • Some kind of certificate must be used in order for the communication to be secured.

    You have two options:

    - Using usernameOverTransport (transport security) 
    - Using usernameForSslNegotiated. Here a certificate is also used but the client does not need to get it out of band since it gets it from the server online once the communication starts (this is like negotiateServiceCretential=true).

    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    Tuesday, February 10, 2009 10:59 AM
  • Works Awesome!

    You da man!
    Friday, February 13, 2009 3:32 AM
  • Sorry to reply to such an old post, but what option did you use, usernameOverTransport or usernameForSslNegotiated?
    Thursday, October 1, 2009 11:00 PM