Self-hosted NetTcpBinding between two machines *not* on the same domain

views:

265

answers:

Self-hosted NetTcpBinding between two machines not on the same domain

I have a self-hosted (console app for the time being) WCF application that needs to be hosted on a machine that is separate from the clients - So there is no security link via a Windows Domain between the server and clients.

What options are there for using Message-level security with this set-up? A colleague has told me that the communication will work if I set Security.Mode = SecurityMode.None on the TCP binding but this is not ideal. Am I right in thinking that no encryption of data takes place if SecurityMode.None is set on the binding?

Any help on this is greatly appreciated.

You can get an encrypted connection with netTcpBinding using transport security w/ EncryptAndSign protectionLevel, a service certificate (must be trusted by the client unless you shut off cert validation on the client), and clientCredentialType None. You could use message security, but transport is much more performant, allows for streaming (if you need it) and is generally much easier to get working reliably. You can do auth with client certs or custom username/password stuff (assuming you don't have trust between the domains). I don't think you can do Windows username/password auth without client and server being on the same or trust-connected domains or using local accounts on both sides with matching usernames/passwords.

nitzmahone 2009-09-26 07:50:30

My plan is to authenticate users myself. The client app will send username/password pairs to the server.I've been doing a bit more research. Ideally, I'd like to use Message security because data will be sent across the Internet. My concerns are not with client authentication, but data encryption between the client and server. Is the only way to accomplish this to use certificates?

Paul 2009-09-27 14:43:08

Internet or not shouldn't affect your security choice of message over transport (especially not with netTcpBinding). Message security really only makes sense with HTTPS when you're using intermediate SSL proxies that terminate the SSL tunnel (shouldn't be an issue with netTcp), and even then only when you want to keep the contents hidden from those proxies.

nitzmahone 2009-09-28 11:30:09

Certs aren't the ONLY way to get privacy, but certainly the easiest (especially if you control both sides and the machines aren't on the same domain). Authentication is an optional part of that, and it sounds like you're planning to handle that another way, so great. All you need then is a server cert so you can do an SSL session key exchange to get an encrypted tunnel to talk through. It's really easy to generate a self-signed cert and force the client to trust it in config. Then you can do whatever username/password stuff inside the tunnel that you want (either with WCFs help or not).

nitzmahone 2009-09-28 11:31:00

ansaurus

tags:

views:

answers:

Self-hosted NetTcpBinding between two machines not on the same domain

related questions