The situation:
- We have Windows 2008 web serverse with IIS7, (.NET4)
- We can comminicate with the webserver only through the default HTTPS (443) port
- There is an ASP.NET website hosted on the servers, the service is part of the website code.
- Some clients (desktop applications with WCF support) want to communicate with our new WCF webservice
- Message size between the parties can be 100 - 400 kb
- We'd like to keep the WCF service part of the IIS.
- On client side we request a custom username and password to connect to our service
- There are longer sessions with more DB processign behind
- And there are quick short sessions - like ping from the client
- The client passwords are stored on our webserver (from DB) - clients should be authenticated against these passwords.
Question:
1. From these constraints what would be the best protocol to use?
2. Would you use sessions by default?
3. Tried this binding first (it works, however there is no session support)
<!--define a SOAP binding-->
<wsHttpBinding>
<binding name="DefaultSOAPBasedHTTPSBinding" maxReceivedMessageSize="400000">
<readerQuotas maxArrayLength="102400" />
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
To enable sessions:
<wsHttpBinding>
<binding name="DefaultSOAPBasedHTTPSBinding" maxReceivedMessageSize="400000">
<readerQuotas maxArrayLength="102400" />
<reliableSession enabled="true" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Basic" />
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
My feeling is that this transport & message securtiy is too much - I mean do we really need this in order to allow sessions with wsHttpBinding?