none
Cerficate use at server & client end for WCF service (WCF Mutual Authentication) RRS feed

  • Question

  • we all know that when we do WCF Mutual Authentication then we need to use certificate at both end. where wcf service will be running there we need to install certificate and the client who will be consuming there also certificate need to install.

    i never use or work with certificate before. so i like to know that client end need to install or use same certificate which server end using. is it possible that client using certificate purchase from abc.com and server end purchase certificate from xyz.com.

    if yes it is possible client can use different certificate and server can use different certificate. so my question is certificate wise encrypt / decrypt logic can be different. if both using certificate which are purchased from different company then how then both can encrypt & decrypt message in each other. please discuss my points. thanks

    Friday, April 4, 2014 8:24 AM

Answers

  • Hi,

    In WCF Mutual authentication not only allows positive identification of the clients, but also allows clients to positively identify the WCF services to which they are connected. Mutual authentication is especially important for Internet facing WCF services, because an attacker may be able to spoof the WCF service and hijack the client’s calls in order to reveal sensitive data.

    A variety of mutual authentication mechanisms are supported in wcf by using token formats such as Windows tokens, username and password, certificates and issued tokens (in a federated environment). So if you do not use the mutual certificate authentication, then you will do not need to install the certificate in the client.

    And in my mind the service and client can not use the different types of certificate.

    For more information, please try to refer to:
    #WCF Transport, Message Security and Mutual Authentication using Certificates:
    http://blogs.msdn.com/b/ashishme/archive/2009/05/06/windows-communication-foundation-transport-message-security-and-mutual-authentication.aspx .


    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Mou_kolkata Monday, April 7, 2014 9:18 AM
    Monday, April 7, 2014 5:47 AM
    Moderator

All replies

  • Hi,

    In WCF Mutual authentication not only allows positive identification of the clients, but also allows clients to positively identify the WCF services to which they are connected. Mutual authentication is especially important for Internet facing WCF services, because an attacker may be able to spoof the WCF service and hijack the client’s calls in order to reveal sensitive data.

    A variety of mutual authentication mechanisms are supported in wcf by using token formats such as Windows tokens, username and password, certificates and issued tokens (in a federated environment). So if you do not use the mutual certificate authentication, then you will do not need to install the certificate in the client.

    And in my mind the service and client can not use the different types of certificate.

    For more information, please try to refer to:
    #WCF Transport, Message Security and Mutual Authentication using Certificates:
    http://blogs.msdn.com/b/ashishme/archive/2009/05/06/windows-communication-foundation-transport-message-security-and-mutual-authentication.aspx .


    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Mou_kolkata Monday, April 7, 2014 9:18 AM
    Monday, April 7, 2014 5:47 AM
    Moderator
  • one area is not clear. you said :

    variety of mutual authentication mechanisms are supported in wcf by using token formats such as Windows tokens, username and password, certificates and issued tokens

    i guess Windows token means windows authentication u r trying mention. what is relation with windows authentication or username authentication with certificate. we use certificate just to encrypt data for security.

    what is issued tokens ?

    looking for guidance. thanks

    Monday, April 7, 2014 9:18 AM