views:

114

answers:

1

I have been searching n the web on how and if it is possible to verify that the calling application is digitally signed with the correct certificate.

This is for internal use for my corporation. we want to digitally sign our applications and only let our digitally signed applications to access our wcf services. is this a configuration of the iis or in the wcf app? and how?

Thanks Marios

A: 

You can't do what you want by default in WCF; it simply doesn't pass assembly information as part of any of its security negotiations.

You might fake it by having your program reflecting on its assembly and using the AssemblyName's PublicKeyToken and passing that up to the service as part of the request, but I don't recommend it; you'll be highly susceptible to replay attacks. Anyone with Reflector could figure out how to use your service whenever they wanted to.

Ultimately, you are better off building some sort of credentials system into your service and forcing your users to provide those credentials when using your service.

Randolpho