Question on WCF Security in a Client Application

Question

What I'm trying to do is setup a call to a service on another server. So far.. I've created the proxy and got the config information.

What I'm having trouble finding is how to set the security. They are using message security and client certificates.

here is my app.config file..what I have so far. Any information on setting the security up would be helpful. Most of the examples I've come across all have to do with setting up a service and securing it on the hosting end.

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="CCaRWebServiceSoap11Binding" closeTimeout="00:01:00"
                openTimeout="00:01:00" receiveTimeout="00:01:00" sendTimeout="01:00:00"
                allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <security mode="None">
                    <transport clientCredentialType="None" proxyCredentialType="None"
                        realm="" />
                    <message clientCredentialType="UserName" algorithmSuite="Default" />
                </security>
            </binding>
        </basicHttpBinding>
        <customBinding>
            <binding name="CCaRWebServiceSoap12Binding">
                <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                    messageVersion="Soap12" writeEncoding="utf-8">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                </textMessageEncoding>
                <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                    maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
                    bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                    keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
                    realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
                    useDefaultWebProxy="true" />
            </binding>
        </customBinding>
    </bindings>
    <client>
        <endpoint address="serviceEndpoint1address/"
            binding="basicHttpBinding" bindingConfiguration="CCaRWebServiceSoap11Binding"
            contract="CCaRWebServicePortType" name="CCaRWebServiceHttpSoap11Endpoint" />
        <endpoint address="serviceEndpoint2address/"
            binding="customBinding" bindingConfiguration="CCaRWebServiceSoap12Binding"
            contract="CCaRWebServicePortType" name="CCaRWebServiceHttpSoap12Endpoint" />
    </client>
</system.serviceModel>

I sort of got thrown into this project so WCF is somewhat foreign to me.

Answer 1

Do you have service reference in your project? Does your service provides security description in WSDL? If answers for both questions are true you can simply update service reference and your configuration will be changed to secure mode (if you are lucky).

What does actually mean meassage security for you? Message security can also mean message encryption and signing. Message security is not supported in Basic Http Binding. For custom binding you can start with following configuration:

<customBinding> 
  <binding name="CCaRWebServiceSoap12Binding"> 
    <security authenticationMode="MutualCertificate" /> 
    <!-- there is plenty other configuration attributes in security element - 
         you simply have to know what you need -->
    ...
  </binding>
</customBinding>

This will set mutal certificate authentication (with asymmetric security) for your service and client. You will need service certificate and client certificate with private key (provided by your service provider). You need to import these certificates to the certification store. Account running your client application has to have access to client certificate's private key (should be automatic if you place the certificate into user's Personal store).

Than you will set those certificates in endpoint behavior:

<behaviors>
  <endpointBehaviors>
    <behavior name="clientBehavior">
      <clientCredentials>
        <clientCertificate findValue="..." storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" /> 
        <serviceCertificate>
          <defaultCertificate findValue="..." storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

In endpoint you will refrence this behavior:

<endpoint address="serviceEndpoint2address/" binding="customBinding" 
  bindingConfiguration="CCaRWebServiceSoap12Binding"        
  contract="CCaRWebServicePortType" name="CCaRWebServiceHttpSoap12Endpoint"
  behaviorConfiguration="clientBehavior" />

You can also set these certificates from the code on proxy instance.

Be aware that this is only one from many settings. I don't say it will work for you "as is". Setting message security with certificates is tricky especially if you don't have security description in WSDL or the service is not written in WCF.

You can also chech this article on MSDN. It also configures client.