I am new to WCF. I am investigating the right way to have message body encryption over HTTPS (mixing both transport and message level security at the moment)
I have HttpsGetEnabled.
Using WsHttpBinding, I still see the message body unencrypted
<wsHttpBinding>
<binding name="myCustomWsHttpBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"/>
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
I have also tried using custom binding but same result
<binding name="myCustomBinding">
<security authenticationMode="CertificateOverTransport"
messageProtectionOrder="EncryptBeforeSign"
includeTimestamp="true"
protectTokens="true"
>
</security>
<textMessageEncoding messageVersion="Soap11WSAddressing10" />
<httpsTransport/>
</binding>
How can we have message body encrypted when using Https? If I understand correctly message level security is independent of transport so using https is possible in this case?
In the custom binding, set authenticationMode to "mutualCertificate"
Related
I have a WCF Service with netTcpBinding and I want to add GZip compression to it.
Here is my current binding:
<netTcpBinding>
<binding>
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</netTcpBinding>
But to add GZip Compression, I need to convert it to a customBinding.
So I think the new binding must looks like this:
<customBinding>
<binding>
<security ??? />
<binaryMessageEncoding compressionFormat="GZip" />
<tcpTransport />
</binding>
</customBinding>
How can I achieve mode="TransportWithMessageCredential" and clientCredentialType="UserName" of netTcpBinding in customBinding?
I need to authenticate an endpoint using certificate in WCF Config file
I have tried adding with the various authenticationMode setting
but its not working in customBinding
could you please help me to convert the below code to the custom binding
<basicHttpBinding>
<binding name="certBinding">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
This is the code i have tried in custom binding
<customBinding>
<binding name="OutbBinding1" closeTimeout="00:02:00" openTimeout="00:02:00" receiveTimeout="00:10:00" sendTimeout="00:02:00">
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap11" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="20000000" maxArrayLength="20000000" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<security authenticationMode="SecureConversation">
<secureConversationBootstrap authenticationMode="AnonymousForCertificate" />
</security>
</binding>
</customBinding>
As we know, if we use the message security of BasicHttpbinding, we should set up the certificate both in the client and the server. In addition, we should also establish a certificate trust relationship between the server and the client.
One more thing needs to note is, different from the authentication mode of the transport layer security, we need to set a default service certificate (non-client certificate, use the trusted server certificates for signing messages) on the client side.
So anyway, the below configuration could achieve the same goal that authenticates the client with a certificate. please refer to the below configuration.
<customBinding>
<binding name="TehRealBinding">
<textMessageEncoding />
<security authenticationMode="MutualCertificate" />
<httpTransport />
</binding>
</customBinding>
Besides, the following document might be useful to you.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/securitybindingelement-authentication-modes
Feel free to let me know if there is anything I can help you.
I have a wsHttpBinding like this
<wsHttpBinding>
<binding name="binding1">
<security mode="Message" >
<message clientCredentialType="Windows" negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
If only NTLM is available,
Is this mean WCF will send client's credential through SOAP message?
Is this configuration compatible with ws-security?
Thanks
Both your questions are answered with a YES. Please read http://www.codeproject.com/KB/WCF/HttpBinding.aspx for details:
As WsHttBinding supports WS-*, it has WS-Security enabled by default. So the data is not sent in plain text.
I have the below given setting in my web.config of my WCF service, this was working fine till today and suddenly started giving the error "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail." I have verified the time in my server and client it's same.
Any thoughts?
<bindings>
<customBinding>
<binding name="stsBinding">
<security authenticationMode="UserNameOverTransport" requireDerivedKeys="false"
keyEntropyMode="ServerEntropy" requireSecurityContextCancellation="false"
requireSignatureConfirmation="false">
</security>
<httpsTransport maxReceivedMessageSize="66665536"/>
</binding>
</customBinding>
<wsFederationHttpBinding>
<binding name="serviceFederation">
<readerQuotas maxStringContentLength="2147483647"
maxDepth="2147483647"
maxBytesPerRead="2147483647"
maxArrayLength="2147483647"/>
<security mode="TransportWithMessageCredential">
<!-- Ping token type MUST be SAML 1.1, do not change -->
<message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
negotiateServiceCredential="false">
<!-- TODO: You must put the proper issuer URN of the Ping STS; normally this would be the Ping base URL -->
<issuer address="https://my-sso-server.com"
binding="customBinding" bindingConfiguration="stsBinding" />
</message>
</security>
</binding>
Things to check:
Is there any windows patch that has been installed, sometimes this tightens security and stops things working.
Is there a password that has expired, often the cause when things stop working.
I am new at WCF programming model and I want to use netTcpBinding. Before I ask my question below this is my custom binding :
<customBinding>
<binding name="basic">
<security authenticationMode="UserNameForCertificate"/>
<binaryMessageEncoding/>
<httpsTransport/>
</binding>
</customBinding>
When I create a service reference using a simple console application it finds a certificate and ask me to use it. And this way I can use the webservice ...
But when I change binding to netTcpBinding with TransportWithMessageCredential the service is looking for certificate and could not find it like this :
<netTcpBinding>
<binding name ="sdfsd">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName"/>
<transport clientCredentialType="None"/>
</security>
</binding>
</netTcpBinding>
ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByIssuerName, "Contoso.com").
At this point I use a CustomNameValidator and I do it programmatically.
So when I use netTcpBinding with TransportWithMessageCredential, why does the call to SetCertificate not find the installed certificate? Am I missing something ? Or do I have to add something?
ok guys...sorry but some of the message is miising ...
my custom binding is
customBinding
<customBinding>
<binding name="basic">
<security authenticationMode="UserNameForCertificate"/>
<binaryMessageEncoding/>
<httpsTransport/>
</binding>
</customBinding>
and netTcpBing that i tried to convert is :
<netTcpBinding>
<binding name ="sdfsd">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName"/>
<transport clientCredentialType="None"/>
</security>
</binding>
</netTcpBinding>