locked
WCF service using authentication - membership need certificate? RRS feed

  • Question

  • User-2146352328 posted

    Hi. I am able to use WCF services but i have one question. I am looking at securing the WCF using authentication and membership database when data is passed to an asp.net application. My question is, do i need to add a certificate to the server in order for the membership to work? Right now i can pass the username-password combination but no matter what credentials i may give the service will always go through unblocked. So do i have to use a certificate or is there another way?
    Thanks.

    Wednesday, June 5, 2013 9:16 PM

Answers

All replies

  • User260886948 posted

    Hi,

    It seems that you are using the username anthentication withe message security.

    In order to provide message protection at the message level, you need to install and configure a service certificate as service credentials.

    For more information, please try to refer to:
    http://wcfsecurityguide.codeplex.com/wikipage?title=Ch%2007%20-%20Message%20and%20Transport%20Security%20in%20WCF .

    Hope it can help you,

    Best Regards,
    Amy Peng 

    Thursday, June 6, 2013 11:31 PM
  • User-2146352328 posted

    Hi. Thanks. I see that you can only use HttpBinding in Internet security.  I also read that you can only use Transport or Message security for internet so i got curious when you said i was using username anthentication with message security. Am i doing something wrong because i have set security to transport on web.config. In general what do you suggest as a security model for internet WCF solution?

    Also is there any possible way to avoid a certificate on IIS or WCF needs a certificate for internet security with transport?

    Thanks.

    Friday, June 7, 2013 7:32 PM
  • User260886948 posted

    Hi,

    I am sorry for the late reply.

    With transport security, the service credentials are negotiated by default. When using HTTP bindings, the WCF service typically is hosted in Internet information Services (IIS) and the transport security is provided by SSL. The SSL certificate is used to provide the message protection. 

    So in my mind it is not possible.

    Hope it can help you.

    Best Regards.


    Sunday, June 9, 2013 9:25 PM
  • User-2146352328 posted

    That's a pitty,

    Is there a specific certificate i should have in mind?

    Thanks again.

    Monday, June 10, 2013 2:07 AM
  • User260886948 posted

    Hi,

    The X.509 certificates can be very easy to use, please try to refer to:

    # simple steps to enable X.509 certificates on WCF:
    http://www.codeproject.com/Articles/36683/9-simple-steps-to-enable-X-509-certificates-on-WCF .

    Hope it can help you.

    Best Regards,
    Amy Peng 

    <id="ctl00_articletitle" class="fn"> </id="ctl00_articletitle">

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 10, 2013 2:20 AM
  • User-2146352328 posted

    Thanks. Will have a look one of these days and post if i have any problem.

    Monday, June 10, 2013 9:21 PM