none
In WCF, Can encryption be performed in WCF using Windows credentials rather than certificate RRS feed

  • Question

  • Hi,

    I have a WCF service and want to enable both encryption and authentication using Windows credential type (NOT CERTIFICATE) in the transport layer (NOT at Message level). I want to know if the service config is set to

    Protocol binding = WsHttp, Transport mode = Transport, clientCredentialType="Windows"

    can we perform encryption using Windows credential (NOT CERTIFICATE) in the transport, or windows credential is only used for authentication.

    This msdn topic tells that both integrity and confidentiality are happening, but also it tells only for TCP protocol and not for HTTP protocol (e.g. WsHttp binding)

    How to perform encryption and authentication using Windows credential type in WCF ?

    Regards

    Ram

    Monday, May 28, 2018 4:47 PM

All replies

  • Hi Ram,

    >>I have a WCF service and want to enable both encryption and authentication using Windows credential type (NOT CERTIFICATE) in the transport layer (NOT at Message level)

    What do you mean by this?

    For encryption, it is used Certificate, and Windows Credential is used to authentication. What do you mena by not use certificate.

    If you want to achieve Transport Security with Windows Authenticaiton, you could use your current configuration.

          <bindings>
            <wsHttpBinding>
              <binding>
                <security mode="Transport">
                  <transport clientCredentialType="Windows"/>
                </security>
              </binding>
            </wsHttpBinding>
          </bindings>

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, May 29, 2018 5:42 AM
  • Hi,

    I dont know what you mean in your post, it seems that in the current situation, you are telling that for encryption, one needs to use certificate only. Is that correct ?

    this msdn topic says "Confidentiality Yes" and "transport net.tcp" but does not mention a word about "Certificate". Also it appears that usage of Windows credentials supports encryption like kerboros / NTLM encryption of tokens(see here and here). Does this this msdn topic not suggesting that the encryption (using Windows credentials) is extended to message contents rather than just tokens ?

    If you look into the picture of  this msdn topic   it says "The service and clients are authenticated using windows authentication, and the messages are secured at transport  level by Windows security".

    What does "secured by Windows security" telling here ?? (I don't think it is telling certificate encryption, or does it ?)

    Regards

    Ram


    Tuesday, May 29, 2018 8:14 AM
  • Hi Ram,

    >> you are telling that for encryption, one needs to use certificate only. Is that correct ?

    No, I am talking about Transport security with Windows authentication.

    >> What does "secured by Windows security" telling here ?? (I don't think it is telling certificate encryption, or does it ?)

    For WCF Security, I assume you already know Message security mode and Transport Security mode. They are implementing security in different area, previous is encrypting message, and later is encrypting transport.

    For the image, Windows Credential is used to authenticate which means to validate whether the User is in this domain, and message between client and server is secured in Transport. The email icon in the image contains User Windows Credential to authenticate, and the pipe is secured by net.tcp Transport.

    For Net.Tcp, security for the transport mode is provided by implementing Transport Layer Security (TLS) over TCP. The TLS implementation is provided by the operating system.

    For wsHttp binding, the transport security for this binding is Secure Sockets Layer (SSL) over HTTP, or HTTPS. The certificate which I referred is used to secure the Transport when using Https.

    You could refer the link below:

    # Transport Security Overview

    https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-overview#wshttpbinding

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, May 30, 2018 3:13 AM
  • Hi

    You state that you are talking about "transport security with windows authentication" . But that is not what I asked for. I want to know how to perform encryption at transport level using Windows Credentialtype  . can it be done or not, if yes, how ?

    You are talking about authentication using Windows credentialtype, I am asking about encryption using windows credentialtype. It is clearly stated in my first post in this thread.

    This msdn topic tells that both integrity and confidentiality are happening (means encryption is happening) and it does not tells anything about certificate but tells "Windows security".

    Regards

    Ram




    • Edited by Ram_BizTalk Wednesday, May 30, 2018 10:13 AM
    Wednesday, May 30, 2018 10:01 AM
  • Hi,

    I want to know if encryption is performed when using Windows credentials (NOT CERTIFICATE) at the transport level.

    Regards

    Ram

    Wednesday, May 30, 2018 10:23 AM
  • >>how to perform encryption at transport level using Windows Credentialtype  . can it be done or not, if yes, how ?

    You could not encrypt at transport level by using Windows Credential. 

    For encrypting at transport, it is implemented by TLS or SSL, it is not related with Windows Credential.

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, June 1, 2018 5:27 AM