tags:

views:

77

answers:

2
Q: 

WCF Message Security With Service Certificate Only

I'm new to WCF, and wanted to know if it is possible to do Message Security, where I use a x.509 certificate for the service only, and for client security do windows credentials, is this acceptable, does it work? Tried searching the web, but either no discuss on this approach exists, or I have put the wrong wording in my google search, any help is much appreciated, thank you all.

basically, I'd have this in my binding:

<wsHttpBinding>
    <binding name="msgBinding">
        <security mode="Message">
            <message clientCredentialType="Windows" />
        </security>
    </binding>
</wsHttpBinding>

and on my behavior:

<behavior name="wsHttpCertificateBehavior">
    ...
    <serviceCredentials>
        <serviceCertificate findValue="MyCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="My" />
    </serviceCredentials>
</behavior>
+1  A: 

Why are you trying to do this? What are your security requirements?

Are you trying to use a Service Cert to secure the message transfer and then use windows security for the client for authentication and authorization?

Windows security only works if you are on the same domain or have some sort of federated security set up. If you are on the same domain just use windows security for both. If you are not on the same domain then you can't use windows credentials for the client because the server will have no way of validating them. You would either have to use a client certificate that was issued by the certificate authority on your service side or use custom credentials.

If however you are on the same domain but still require a service side cert then you have to specify the serviceCertificate in the service's config file and define an endpoint address with HTTPS, that is if you are hosting as a stand alone service. If you are hosting in IIS then you define the certifice in the IIS website's setup.

You may find this useful Application Deployment Scenarios

Mogounus  2010-07-13 01:02:53
I'm not trying to use a cert to secure the transport, I'm trying to use the cert to secure the message (as stated in my question, I am using message security). I'm trying to not have to distribute certs to every client, that's why I'm trying to do windows sec for the client and the x.509 cert for the service
Jason  2010-07-13 21:03:12
Oh sorry, I meant to say "transfer security" instead of "transport security". So let me ask again, why not just use windows security and forget the cert? Both the clients and the service are on the same domain correct? Windows credentials will allow you to implement message security and authentication/authorization easily... if you are not on the same domain forget about using windows credentials.
Mogounus  2010-07-13 22:25:03
A: 

Hey thank you for your help Mogounus. My problem is quite complicated, but in short, my requirements are to use certs on the server side, after doing some more research i think i figured it out now. So if I understand it correctly, when using certs on both client/server with message security, the client would sign the message with its private key, then attach its pub key, and encrypt with the server's pub key, only the server would be able to decrypt and thus get the signed message along with the pub key of the client to verify the signed data.

In my case, I had it working, I just needed to verify that the service was using the right stuff to sign/encrypt, but this doesn't seem possible since by the time the message is packaged up, it is already encrypted and i can't see the content.

Another problem I realized while searching for this answer is, not all my clients will be in same domain, so will have to either use user/pwd or certs on the client side.

Jason  2010-07-16 04:26:15
You essentially have it correct but the underlying public private key handshake is somewhat irrelavent as WCF handles all that for you. Just to clarify, only the service certificate is used to secure the message transfer. (i.e. sign/encrypt the message). The only time you need a client cert is for Authentication/Authorization. Is there anything else you need clarified? So I take it my initial answer was correct no? Do I get an accepted answer? :)
Mogounus  2010-07-16 18:51:51
Sure, this pretty much answers my question, only I can't mark this as an accepted answer, the first post doesn't quite answer what I asked, imho :)
Jason  2010-07-20 21:39:46

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?