Which WCF security scenario should I use?

Question

I'm new to WCF and am overwhelmed by the options available for securing my WCF service. What is the security model best suited for this situation?

Server: Must have access to the context of a particular publicly available ASP.Net application, running on IIS 6. However, the the service should only be available to a single client on the Intranet. Basically, the service needs to do operations on the public web site but the service itself should be entirely unavailable to the public. I would like to avoid SSL usage for the service.

Client: An ASP.Net intranet application running on an in-house server (different machine than the above application but also using IIS 6). There will be just this single client to the service.

The code seems rather straighforward - I have my service contract in a shared library between the two ASP.Net applications. I need lots of help in figuring out how to set up each web.config to provide some type security such that the public access to the "server" application cannot use the service at all, whereas the "client" web application has full trusted access to the service.

Answer 1

The number of options and their combinations is indeed staggering - that's why both Microsoft and also renowned WCF guru Juval Lowy have come up with "security scenarios" which should help you focus on a few, manageable scenarios that might be of use.

See this blog post by J.D. Meier for the Microsoft approach, and Juval's ideas are best summed up in David Sackstein's blog post series.

For an in-house, behind-the-corporate firewall solution, you're best bet is probably the netTcpBinding with Transport-level security, and Windows credentials.

UPDATE: Unfortunately, netTcpBinding can only be used on IIS7/WAS (with Vista, Win Srv 2008), and is not supported on IIS6 :-(

For this scenario, you'll either need to use one of the HTTP bindings, or create the host for your NetTCP-based service yourself (console app, NT Service).

Marc

Update:

if you want to make sure only local users that are members of your Active Directory Domain can access your service, your best bet is to use Windows credentials as authentication mechanism. In that case, an external user who doesn't have a Windows account in your domain won't be able to use the service and will be rejected.

You could probably set up basicHttpBinding or wsHttpBinding with transport security, using Windows credentials, for your service. If you use transport security, you'll be using https:// addresses and SSL must be enabled on your network, but on the other hand, you don't need to identify the service with a certificate.

Your service config would look something like:

<bindings>
  <basicHttpBinding>
    <binding name="securedBasicHttp">
      <security mode="Transport">
        <transport clientCredentialType="Windows"/>
      </security>
    </binding>
  </basicHttpBinding>
</bindings>
<services>
  <service name="MyService">
    <endpoint name="Default"
              address="MyService"
              binding="basicHttpBinding"
              bindingConfiguration="securedBasicHttp"
              contract="IMyService" /> 
   </service>
</services>

A good resource for lots more info and also how-to videos would be the Patterns & Practice WCF Security Guidance on Codeplex - excellent, if almost a bit overwhelming at times.

You might also want to check out this list of How-To articles on MSDN: