ansaurus

Question

netTcpBinding without windows credentials?

Answer 1

+3 A:

Yes, of course - but only if you use Message security (rather than transport security). Define your binding configuration like so:

  <netTcpBinding>
    <binding name="UserNameSecurity">
      <security mode="Message">
        <message clientCredentialType="UserName"/>
      </security>
    </binding>
  </netTcpBinding>

and then reference that binding configuration in your endpoints (on server and client):

 <endpoint address="....."
           binding="netTcpBinding"
           bindingConfiguration="UserNameSecurity"
           contract="IMyService" />

Marc

UPDATE:
Ah, yes, on the server-side, you'll need a certificate to authenicate the service to the client calling it, and it's also used to encrypt+sign the messages. That's on the server only - clients need not install anything.

Configuration:

<behavoirs>
  <serviceBehavior>
    <behavior name="ServerInternet">
      <serviceCredentials>
        <serviceCertificate
           findValue="MyServiceCertificate"
           storeLocation="LocalMachine"
           storeName="My"
           x509FindType="FindBySubjectName" />
      </serviceCredentials>
    </behavoir>
  </serviceBehavior>
</behavoirs>
<services>
  <service name="MyServiceInternet"
           behaviorConfiguration="ServerInternet">
     ....
  </service>
</services>

Make sure to install your server's certificate into the "Local Machine" folder on your server, under the "subject name" that you specify in your config.

marc_s 2009-08-03 15:31:29

So, that's what I had originally. But, I get an exception asking for a service certificate: "The service certificate is not provided. Specify a service certificate in ServiceCredentials. "Any ideas?

Scott P 2009-08-03 16:15:40

Hmmm. That's what I suspected. Thanks for confirming it.

Scott P 2009-08-03 17:41:04

In this approach is there any harm of using a self signed cert in production environment? If it's only used to encrypt messages but not to verify identity. When would you not use a self signed-cert for message encryption?

Vitalik 2010-10-30 12:24:26

Answer 2

A:

Scott P, There is something you can try first set serviceNegotiationCredentials to true

<message negotiateServiceCredential="true"/>

This will create a secure conversation between your client and your service without a domain controller.

BUT, if there isn't any domain controller, the client doesn't trust your service so it will fails.

So you should set the expected identity of the service. You can find that in the wsdl of your service, by default if you are hosted on IIS it seems to be,

<client>
    <endpoint>
     <identity>
      <servicePrincipalName value="host/NETWORKSERVICE"></servicePrincipalName>
     </identity>
    </endpoint>
</client>

I don't think you'll need it but maybe you'll have to allow anonymous logon on the service side :

<serviceBehaviors>
    <behavior>
     <serviceCredentials>
      <windowsAuthentication allowAnonymousLogons="true"/>
     </serviceCredentials>
    </behavior>
</serviceBehaviors>

Please, tell me if it works !!

Nicolas Dorier 2009-08-03 19:28:54

Thanks. I think that the negotiateServiceCredential does not exist for the netTcpBinding. I will likely go down the certificate path, since that seems (relatively) straight forward.

Scott P 2009-08-03 20:11:52

ansaurus

tags:

views:

answers:

netTcpBinding without windows credentials?

related questions