After researching on the topic of Claims-Based Security (or a Federated Security Model). I've been coming across many examples that use Cardspace as an example. The main article that I read that gave a really great explanation of the subject was a PDF by Microsoft on a framework called Zermatt. The claims-based security architecture I'...
Hi Guys, I'm going around in circles with regards to WCF and security so i'm just going to shove a load of questions here and hope someone can help me gain a clear picture. Can someone please give me a plain English explanation of Transport vs Message level security. I think I have a service running under SSL that will authenticate ...
Some background: in order to provide authentication I'm using certificates on client and server side (WCF) and use one certificate for all clients (manually loading it from application directory - not the safest way, but it doesn't require to manage certificate storage and making installation more difficult): AddressHeader host...
I am having a tough time deploying a web site to IIS 7 on Windows Server 2008. The site works fine until it tries to make calls to a WCF service hosted on the same host. Everything works great for the service from my workstation when the web is ran in Visual Studio 20008 using the exact same web config etc. As soon as I deploye the web...
I transfered a workking WCF service from my development environment to the QA environment, including the certificates (Root Authority, Root Auth revocation list, Service certificate - including its PK). Afterward I located the private key usihg 'FindPrivateKey' and gave all the relavent accounts full permissions to access the private ke...
Hello !! I have a wcf service where i have to implement the call backs and also i need to host the wcf service on the IIS 6.0, since IIS6.0 doesnot support the net.tcp binding, i decided to go for the custom binding. The reasons for going for custom binding is that the service is accessed by different clients in different timezones. Usi...
Hi, I'm replacing an existing web service with a WCF service and as the first step of migration I'm going to expose an endpoint with BasicHttpBinding until the client is upgraded later on in the year. The plan is to host the new WCF service with a windows service (the service will only be called from within the intranet so there's no r...
We are developing a number of WCF services. requests will cross a domain boundry; that is, the clients are running in one domain and the servers handling the requests are in a different (production) domain. I know how to secure this link with SSL and certificates. We will aks the users for their usernames and passwords on the product...
I want to implement https with Windows Authentication. I tried it but I am getting following error : {System.ServiceModel.ProtocolException: The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8). After this it tries to load the login form....
I've got a simple client-server application based on TcpClient/TcpListener and SslStream. Clients can authenticate themselves to the server using a X509Certificate or by sending a user name and password after the SslStream has been established. WCF makes use of the System.IdentityModel namespace for authentication purposes, but apparent...
I'm modifying my WCF API to include a new service that should be exposed to internal IP addresses only. All of the services in my API are available in SOAP, POX and JSON. What I'm looking for is a behavior or something that allows me to implement a simple IP address filter, to process requests from internal IP's and deny everything els...
Is there an easy way to tie custom X509 cert validation to BasicHttpBinding (or CustomHttpBinding for the same matter, which will implement transport-only security)? EDIT1: I added a ServerCertificateValidationCallback to the code for the sake of showing that it doesn't fire up either Here's what I'm trying to do: 1) wrote custom X50...
Just like the title says. Does each authenticated WCF client connection to a WCF server that you have developed need a windows CAL? http://www.microsoft.com/windowsserver2008/en/us/client-licensing.aspx Microsoft's licensing on that page sure makes it sound like it, but I can't find anything out there that confirms, or even denies thi...
Here's my scenario: I'm planning on running a Windows Service hosted WCF service on a server that is outside of our domain (in it's own workgroup). I need to access it securely from a client that is inside our domain. There is a firewall between the two machines that we are in control of. The service does not need to be accessible by a...
Hi, I am busy designing a WCF app. The app's purpose will be to give insurance members access to their insurance information via the web. The problem lies with our network architecture and I am not exactly sure what type or combinaion of security I must use. In our internal network we have a UNIX environment which I access using Entir...
Hello, If I have an application (on C#) that runs under a user context (ex. DOMAIN\StandardUser) which makes a call to a Web Service, which has the web service worker process running under a different context (ex. DOMAIN\WebServiceUser), and that web service connects to a SQL database, which user context does the database connect from, ...
I'm trying to implement following scenario: Client passes it's cridentials to STS. STS applies custom AuthorizationPolicy to determine set of claims available to particular user and issues a secure token. Client passes the token to business services which determine user's priveleges basing on the set of claims they got from the token. ...
I have a client/server WCF application that needs some sort of user authentication against a database. The application (both client and server together) is being developed to be sold to dozens of customers, for use on their intranets. We're not too worried about encrypting most of the data moving across the wire, except of course durin...
I created a proxy of a Web Service with Visual Studio 2008, and it created for me the following entry in the app.config: <system.serviceModel> <bindings> <basicHttpBinding> <binding name="MyNameHandlerSoapBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10...
I don't know if this is a question more suited for Serverfault.com, really depends on the answer, but I have followed this tutorial in .NET C# to setup a WCF service under 'wsHttpBinding' (Transport Security & Certificate Authentication), I have created a test development certificate using the methods described here and I have also confi...