locked
WCF Message Security in Web Farm RRS feed

  • Question

  • WCF Gurus:

    We are currently in the design phase of some new functionality to be implemented as a WCF service.  The WCF service will actually reside in a web farm on multiple servers (ServerA, ServerB, ServerC) that are not public-facing.  These servers will have a public-facing network hardware load balancing device sitting in front of them.  The WCF clients (misc applications developed by partner companies) will communicate with the network hardware load balancing device - which will in turn forward the requests to one of the aforementioned servers in the web farm.  To secure the services and all communications, message security will be used with the wsHttpBinding.  For client authentication, Username client credentials will be used.  Our desire is to set the negotiateServiceCredential property to false, thus forcing the service certficates to be provided to the clients out-of-band (there are business reasons for doing this).

    My question with this scenario is how to configure the WCF clients.  For a simpler implementation using only a single server, a default certificate can be defined within the config file for the client (as is shown below):

            <bindings>
                <wsHttpBinding>
                    <binding name="WSHttpBinding_IService1">
                        <security mode="Message">
                            <message 
                              clientCredentialType="UserName" 
                              negotiateServiceCredential="false" 
                              establishSecurityContext="false" />
                        </security>
                    </binding>
                </wsHttpBinding>
            </bindings>
            <client>
                <endpoint address="http://hostname/WcfService1/Service1.svc" binding="wsHttpBinding"
                    bindingConfiguration="WSHttpBinding_IService1" contract="ServiceReference1.IService1"
                    name="WSHttpBinding_IService1" behaviorConfiguration="ServiceCertificate">
                    <identity>                    
                      <dns value="SignedByCA"/>
                    </identity>
                </endpoint>
            </client>
          <behaviors>
            <endpointBehaviors>
              <behavior name="ServiceCertificate">
                <clientCredentials>
                  <serviceCertificate>
                    <defaultCertificate 
                      findValue="SignedByCA"
                      storeLocation="LocalMachine"
                      storeName="My"
                      x509FindType="FindBySubjectName" />
                    <authentication certificateValidationMode="PeerTrust"/>
                  </serviceCertificate>
                </clientCredentials>
              </behavior>
            </endpointBehaviors>
          </behaviors>

    Since the three servers in the web farm will each have their own unique certificate, how do I configure the client so that it can communicate with any of the three servers that it happens to be directed to via the network load balancer?

    Thanks,

    D

    Wednesday, March 24, 2010 7:31 PM

Answers

  • The certificate should be tied to the public address which users will use. It is "tied" in the sense that ServerA.domain.com appears in the certificate, so clients will only agree to use the certificate if they send a message to this domain (this behavior can be overridden). However you are free to install the certificate wherever you want.
    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    • Proposed as answer by Yaron Naveh Thursday, March 25, 2010 1:16 AM
    • Marked as answer by D Nickels Thursday, March 25, 2010 12:32 PM
    Wednesday, March 24, 2010 10:43 PM

All replies

  • Why not use the same certificate for all servers?
    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    • Proposed as answer by Yaron Naveh Thursday, March 25, 2010 1:16 AM
    Wednesday, March 24, 2010 9:15 PM
  • Sorry for the novice question, but is it possible to use the same certificate on all servers?  I *thought* that when a certificate is purchased from a company like VeriSign, the certificate is essentially tied to a particular server.  Is this not the case?  Can a single certificate be used on multiple servers with different names (ServerA.domain.com, ServerB.domain.com, ServerC.domain.com).

    D

    Wednesday, March 24, 2010 9:27 PM
  • The certificate should be tied to the public address which users will use. It is "tied" in the sense that ServerA.domain.com appears in the certificate, so clients will only agree to use the certificate if they send a message to this domain (this behavior can be overridden). However you are free to install the certificate wherever you want.
    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    • Proposed as answer by Yaron Naveh Thursday, March 25, 2010 1:16 AM
    • Marked as answer by D Nickels Thursday, March 25, 2010 12:32 PM
    Wednesday, March 24, 2010 10:43 PM
  • Good information.  Thanks!

    D

    Thursday, March 25, 2010 12:32 PM