WCF transport security with no authentication

Question

Is it possible to have transport security without authentication? I'm well aware of it's flaws but atm I can't install a certificate a the client side. It seems I can set WSHttpBinding.SecurityMode to Transport and the ClientCredentialType to HttpClientCredentialType.None, but when I try to call the service I get this exception:

An error occurred while making the HTTP request to https://[MyService]. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.

I don't think it's a mismatch of the security binding between the client and the server because I'm using a proxy generated by svcutil.

Why's it looking for a server certificate if I've set the ClientCredentialType to None?

Answer 1

What you have set up looks correct for what you want.

I think that the problem relates to the difference between the certificate needed to ensure transport level security (HTTPS) and any certificate needed for authentication.

To perform transport level security you need to configure a certificate for the IIS server to use for its encryption. This is in no way used to identify parties in the communication, just to secure the communication.

Here is a link to a blog post explaining how to set up a certificate in IIS for this purpose. Not necessarily the best google has to offer, just the first I found that covered all the important points. MSDN should cover this in detail too.

Answer 2

You can have https communication without authentication, but you cannot have https communication without certificates, since https encryption uses certificates.

There are a few things to check:

1) Can you access the WSDL or another resource on the site over https in a browser? 2) Do you get any warnings about the certificate when doing so?

If you can't access the WSDL or another resource on the site over https, then https isn't configured on the server.

If you get warnings about the certificate, then you don't have a certificate that the client will trust. There are three options here, one is to get a valid certificate from somewhere like verisign that will be trusted, the other is to install the certificate in a trusted part of the user's store (which you can't do as you mentioned), and the final is to turn off the cerificate revocation in the client's WCF configuration.

Answer 3

Yeah I hear ya.

I'm not having certificate problems but I too want transport security over SSL with no authentication. Authentication as far as I understand is validating a user that's accessing the service.

Previously I was using a membership provider, taking in a user name and password and letting the provider validate for me. You can use Windows authentication as well which has the OS validate for you allowing access only to people on your network or whatever.

This time around I don't care. I just want to expose a simple method. I setup HTTPS binding with transport security and no client authentication and I get this error

Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service.

That makes me think what I'm trying is not possible and I need windows authentication which I don't want. Any comments?