What's the easiest security mode for implementation in WCF? - wcf

What's the easiest security mode for implementation in WCF when:
Both client and service are .NET applications.
Client and service are negotiating over internet.
SSL in not available.
Port 80 (web) is preferred for communication.
And Using a x 509 certificate should be the last option (same credentials in configuration file at both sides is preferred, if possible)

Security means a lot of things:
Authentication
Authorization
Confidentiality
Integrity
To name a few. You need to decide what are your requirements for each.
Since SSL is not available you must use message level security. But assuming machines do not necessarily live on the same windows domain you cannot use windows authentication and must use x.509 certificate, at least on the serve side. So:
<customBinding authenticationMode="usernameForCertificate" />
where the client authenticates with a username and the server with a certificate (client need to install this certificate).
You could also use a WSHttpBinding with all default settings except:
messageClientCredentialType=UserName
In which case client does not need to install the certificate, it gets it automatically in runtime via negotiation.

Both client and service are .NET applications.
Take a look here http://msdn.microsoft.com/en-us/library/ee707353(v=vs.91).aspx

Related

SSL Server-side certificate on client computer?

There is a server with WCF client, which periodically initiates communications over internet with many WCF services installed on our clients computers. WCF services and WCF clients are hosted in Windows Service, current binding is basicHttpBinding.
Communication has to be over https with mutual authentication. Company ordered SSL certificate but it is not clear if this certificate can be installed on clients computers (because WCF service is there) without exposing a private key. Binding can be basicHttpBinding or wcHttpBinding with transport or message security but using certificates.
Is it possible to install service-side certificate on client computers and client-side certificate on our server? Should this architecture be re-worked so WCF service is on our server or it is possible to secure somehow this current solution?
Each computer involved requires it's own certificate. A certificate value for authentication relies on the uniqueness of the private key. The private key never leaves the host machine, and the certificate can be used to authenticate said machine (because is the only one in the world that posses that private key). As soon as you start distributing copies of a private key, security is pretty much compromised.
Normally such deployment rely on PKI infrastructure which can create certificates on-demand and sign them with a trusted key.
What product/protocol the certificates are used for is irrelevant. What kind of WCF HTTP binding you use it maters not.

Do web servers need to verify browser client certificates?

I'm implementing an SSL layer for a web server project. I'm using polarSSL, though I think this question is a general SSL question.
When I get a connection to my server from a client I configure the SSL protcol like this:
ssl_set_endpoint( &mSsl, SSL_IS_SERVER );
ssl_set_authmode( &mSsl, SSL_VERIFY_NONE );
E.g. I'm not verifying the connection from the client. Do I need to do this?
Most browsers don't have client side certificates - though some do (I think). Is there any need or advantage for the server to verify the client? This is for a service where I would happily serve the data to a client that had no client side certificate at all.
Client-side authentication in SSL/TLS is used when it's required for the server to know its client. For example, it's widely used in banking, to access custom corporate servers etc.
In opposite, the common web server is intended to serve wide audience and not care about who's coming in. So client-side authentication is not used unless you know that you need it.

WCF in a domainless setting

I have a .NET client-server system, which uses WCF for communication.
The communication must be secure. Up to now I used Windows Credentials for authentication.
But now a new requirement emerged - the system must work in a situation, when client and server are located in different domains (or the client isn't in any domain).
Windows Credentials authentication won't work in this setting. AFAIR, WCF supports following security mechanisms
Windows Authentication
X509 Certificates
Issued Tokens
Username and password.
Which of them should I use, if
I need to implement the fix with the least possible effort,
client and server are located in different domains (therefore, Windows authentication is not an option) and
the communication must be secure (the server must not process requests from unauthorized clients)
?

WCF WsHttpBinding Certificate Transport Security - Windows Certificate Configuration

I have two WCF Services using WsHttpBinding with transport security mutual certificate authentication that are being hosted on the same windows server. Clients that can access one WCF service should not have access to the other WCF service. I need some help on configuring the client certificates on the windows host. The client certificates are signed by trusted CAs and the intermediate and root certificate chain is already installed on the the server. It seems like the service automatically relies on chain of trust and does not require the actual client certificates installed on the server at all before letting the client access the service - this is not the behavior I want. Can someone please tell me how I should be configuring these client certificates in order explicitly allow access to one service and not the other?
Thanks.
That has nothing to do with certificates themselves. When using mutual SSL authentication certificates are used only to authenticate client and the authentication is done outside of your application (this is difference to message security where you can create custom certificate validator). Once certificate is trusted client is automatically authenticated to anything on the server using certificates for authentication.
You are looking for authorization - the step where you define what can authenticated client do with your service. You can either hardcode your authorization logic into your service by using role based security or you can implement two custom ServiceAuthorizationManagers and assign each to single service.

WCF and authentications requiring certificates?

Can anyone explain to me when a certifate is require using WCF and authentication. From my understanding although i could be way off :-)
basichttp doesn't require a certificate to do authentication is hosted in IIS and using SSL otherwise a certificate is required
All other bindings like netTcpBindings etc require the use of certficate - is this true?
Or does it depend on what type of authentication i am using?
I would really appreciate any info or maybe a table telling me when a certifcate is needed.
I have a number of scenerios i am investigating like hosting in IIS or hosting in WIndows Service..
And i just can't seem to find the info i need
THanks in advance
There are two scenarios where you need a certificate:
A server side certificated that is used for SSL. For basichttpbinding, if you are sending a username and password over the network you should use SSL.
A client side certificate if you are authenticating clients using certificates.
Other bindings may use machine keys and certificates in the operating system, but you do not need to install a certificate for them to work.