basicHttpBinding with and without ssl at the same time - wcf

I have a WCF service hosted on IIS that is working perfectly well over https with SSL. It has the following simple binding setup...
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding maxBufferSize="524288"
maxBufferPoolSize="1048576"
maxReceivedMessageSize="524288">
<readerQuotas maxStringContentLength="262144" maxArrayLength="65536" />
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>
Is it possible to have another basicHttpBinding but without the security mode so that clients can connect with http or https. Do I just copy and paste the binding and remove the security mode on the copy? Or will that cause confusion because there are two bindings of the same type but they do not have names?

You have to create another binding and add an additional endpoint to use the binding without security. A binding is only a description HOW an endpoint should be created, but the binding configuration does not open any endpoints. You can have many endpoints using the same binding, but only one binding per endpoint.

Related

BasicHttpBinding fails when sharing endpoint with WsHttpBinding - The server certificate is not provided

I have a WCF service endpoint that uses WsHttpBinding and BasicHttpBinding with different addresses to allow them to share the endpoint. There is no security on the BasicHttpBinding. The BasicHttpBinding works fine when my service and client are on the same machine. When they are on different machines the BasicHttpBinding fails and I get this error in the service's trace log: The service certificate is not provided. Specify a service certificate in ServiceCredentials.
The error stops happening if I remove the WsHttpBinding from the service's config.
Service's web.config:
<bindings>
<basicHttpBinding>
<binding name="MyBasicBinding"
maxBufferPoolSize="5242880"
maxReceivedMessageSize="5242880" />
</basicHttpBinding>
<wsHttpBinding>
<binding name="MyWsBinding"
bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="5242880"
maxReceivedMessageSize="5242880"
allowCookies="false">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="Message">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="MyService">
<endpoint address="basic" binding="basicHttpBinding" bindingConfiguration="MyBasicBinding"
contract="MyFramework.IMyService" bindingNamespace="http://MyFramework/Services/"/>
<!-- The basic binding fails when the WS binding is present.
If I remove the WS binding, the basic binding will work. -->
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="MyWsBinding"
contract="MyFramework.IMyService" bindingNamespace="http://MyFramework/Services/"/>
</service>
</services>
FYI I'm using a different address for the basic binding which allows the 2 bindings to share the same endpoint. The URL for WsHttpBinding is http://server/MyService.svc and for BasicHttpBinding is http://server/MyService.svc/basic.
Why does the presence of the WsHttpBinding force the BasicHttpBinding to expect a certificate?
When the service goes up it needs to ensure all endpoints are valid. Since one of the endpoints (The WSHttp one) uses certificate authentication, the server will not go up if this certificate is not defined. So the error is not related to the BasicHttp. That still does not explain why everything works if on the same machine, check if the exact same configuration is used.

UsernameToken and SSL in WCF 4 web service

I am creating a web service that will be consumed by a single client in another part of the world. I don't have any knowledge or control over the technology they are using but have been asked to
"use SSL to encrypt the message during transport and use UsernameToken
for client authentication"
I'm planning to use WCF4 to create the service and know generally how to set this all up. However I'm struggling to find the correct configuration for bindings etc. Google gives me lots of results around WSE 3.0 but I'm pretty sure (please correct me if I'm wrong) that I shouldn't be using WSE for a WCF service.
This article initially seems to suggest I should be using a custom binding but then also says I should "consider using the WCF system-defined bindings with appropriate security settings instead of creating a custom binding". However I can't see any examples of what this should be.
I would be grateful if anyone can point me in the right direction.
tl;dr: What are the WCF4 config settings to support SSL and UsernameToken?
Take a look at the WsHttpBinding. You can use a security mode of TransportWithMessageCredential to use SSL and a message credential of UserName. If you are hosting in IIS set up SSL there.
You can set up the binding in config as follows.
<bindings>
<wsHttpBinding>
<binding name="secureBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
You can then use this binding config as follows
<services>
<service name="ServiceName">
<endpoint address="" binding="wsHttpBinding" contract="ContractType" bindingConfiguration="secureBinding" />
</service>
</services>
Both these elements are children of the system.serviceModel element in config.

Does setting Security Mode = Transport automatically make it secure in a HTTPS web service?

I have a web service and we're currently hosting it in a HTTPS site.
My binding is this.
<wsHttpBinding>
<binding maxReceivedMessageSize="2000000" >
<readerQuotas maxStringContentLength="2147483647" />
<security mode="Transport">
</security>
</binding>
</wsHttpBinding>
And it seems to work well. But my main aim is to make sure the web service requests and responses are encrypted. I don't know much about web services but is that all there is to it?
Just use HTTPS and put this line in your configuration?
<security mode="Transport">
</security>
Or is there more to it? How can I know if the message's sent are encrypted or not?
Yes that's all. The mode Transport demands transport level security which in your case means HTTPS. If you want to see that messages are encrypted you must use some network monitoring tool (Fiddler, WireShark, etc.)

WCF security in an internet scenario

I have a WCF service hosted in a Windows Service. Clients from various platforms will access the service. Now I would like to add a basic security mechanism. Ideally, the clients should use username/password for authentication.
Which binding settings do I have to use in this scenario and how can I authenticate the client? Interoperability is more important than a very secure solutions. If possible the client should not be forced to use a certificate or something the like. Additionally, authentication should not be strongly coupled with a SQL Server database. I would like to manually inspect the client credentials.
Thanks for your help
The best for your case can be BasicHttpBinding with security set to TransportWithMessageCredentials and credential type set to UserName. In this case your service will be secured with HTTPS (requires server certificate for SSL which has to be trusted on clients) and authentication will be provided on message level with UserName Token Profile (SOAP header). You can implement your own password validator.
BasicHttpBinding configuration skeleton:
<bindings>
<basicHttpBinding>
<binding name="Secured">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
</bindings>
If you don't want to use HTTPS you can create custom binding with HttpTransport, TextMessageEncoding and with security mode set to UserNameOverTransport. But you have to set allowInsecureTransport to true (be aware that there is some bug with WSDL generation in this setting).
Custom binding configuration skeleton:
<bindings>
<customBinding>
<binding name="Secured">
<security authenticationMode="UserNameOverTransport" allowInsecureTransport="true" />
<textMessageEncoding messageVersion="Soap11" />
<httpTransport />
</binding>
</cutomBinding>
</bindings>
See the Internet section of the Application Scenarios for guides on how to achieve this:CodePlex Application Scenarios

Anonymous clients connecting to WCF

This article from Microsoft details how to implement transport security with an anonymous client.
http://msdn.microsoft.com/en-us/library/ms729789.aspx
I'd like to know if it is possible to achieve the same goal, using netTcpBinding instead of WsHttpBinding and hosting the service as a Windows Service.
Yes, I don't see any reason why this wouldn't work over netTcp Binding. By default, netTcp is using transport level security already, but also Windows credentials. Just turn those off, and you should be good to go.
<bindings>
<netTcpBinding>
<binding name="SecureNetTcp">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>
I've never done it, but can't you just set the Client Authentication to None?