locked
Securing WCF service for both intranet and internet consumers RRS feed

  • Question

  • User680636372 posted

    I have read several - too many probably - articles on ways to secure WCF services, from custom token creation, x509 certificates, using guids as tokens, WCF extensions, etc. And to be honest, I am a bit lost - seems there are just SO many different ways to do it. Here is what my manager is asking : we have library of WCF services that will be accessed from both users with domain (Windows AD) accounts, as well as users from coming from the internet. They want me to implement some kind of security mechanism that will ensure that only those users/machines/applications that we want to access the services can access them. Simple enough.

    My boss has asked me to accomplish this using WCF extensions, presumably as in this example :

    http://msdn.microsoft.com/en-us/library/ms731872.aspx

    HIS boss mentioned something about just using GUIDs for tokens instead of x509 certs. So now I am wondering - if we want message level security, won't we need to use either x509 certs, or do some kind of encryption to keep whatever info is being used for authentication (username, password) from being sent in clear text?

    Sorry if this is all confusing, but if it is, then it clearly captures my thoughts at this time. 

    Tuesday, February 26, 2013 10:51 AM

Answers

  • User-1000095884 posted

    Hi,

    So now I am wondering - if we want message level security, won't we need to use either x509 certs, or do some kind of encryption to keep whatever info is being used for authentication (username, password) from being sent in clear text?

    If you use message level security for your service, there are various ways you can used to authenticate your clients( you can set it with clientCredentialType), it can be an anonymous client, a certificate client or a Windows client, etc. Somthing like:

    <bindings>
          <netTcpBinding>
            <binding name="Windows">
              <security mode="Message">
                <message clientCredentialType="Windows" />
              </security>
            </binding>
          </netTcpBinding>
        </bindings>

    You can check some common security scenarios.

    http://msdn.microsoft.com/en-us/library/ms730301.aspx

    Best Regards.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, March 5, 2013 3:16 AM