Connect to an asmx page behind https, requiring sign only, using WCF

Question

I'm trying to connect to a web service that requires me to sign with a certificate before I connect.

In WSE 3.0, all I had to do is create a certificate policy and choose the "sign only" radio button. That worked fine in WSE 3.0, but I want to use this on Visual Studio 2008+ (wse 3.0 only supports 2005). In order to get around the 2005 only WSE limitation, I'm trying to convert my app to WCF.

I read the MSDN article on converting WSE to WCF (such as the Aug2004 limitation), but it fails to mention anything about protection levels.

From the looks of it, the default bindings that support utf-8 don't support sign only protection levels. The default bindings that don't support utf-8 (like the tcp stuff) do, but that doesn't really help me seeing how I'm trying to connect to an asmx page. The customBinding seems to be the key (as stated in the MSDN article) but I can't find any valid protection levels that don't also require encryption.

Any suggestions? Is there anything obvious I'm missing?

Answer 1

You can specify a transport security (authentication) independently from the message security (signing and encryption). I'm not clear from your question whether you need transport security with certificate authentication or message security with a client certificate, but both scenarios are supported.

Please see the documentation for the <security> section of the <basicHttpBinding> for details.

For a more broad understanding of WCF security options, this article provides a good overview.