I'm developing a web service for a WSDL defined externally. Access is done with HTTP/S (server and client certificates) and both the request and response are signed with the respective certificate. I have imported the WSDL in VS2010 with a service reference and added signing to the MessageContracts, set up the config file to do security and https and setup SSL on the port.
I'm close to getting it working, but I need to enable manual addressing to insert a wsa:To element in the response, but can't figure out how to get that working..
Any help is appreciated.
Here's my current config section:
<bindings>
<customBinding>
<binding name="AfleverServiceSoapBinding_V1_1">
<security defaultAlgorithmSuite="TripleDesRsa15"
authenticationMode="MutualCertificateDuplex"
requireDerivedKeys="false"
securityHeaderLayout="Lax"
includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="false"
allowSerializedSigningTokenOnReply="true"
enableUnsecuredResponse="False">
<localClientSettings cacheCookies="true"
detectReplays="true"
replayCacheSize="900000"
maxClockSkew="00:05:00"
maxCookieCachingTime="10:00:00"
replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00"
cookieRenewalThresholdPercentage="60"/>
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128"
replayCacheSize="900000"
maxClockSkew="00:05:00"
negotiationTimeout="00:01:00"
replayWindow="00:05:00"
inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true"
maxPendingSessions="128"
maxCachedCookies="1000"
timestampValidityDuration="00:05:00"/>
<secureConversationBootstrap/>
</security>
<mtomMessageEncoding maxReadPoolSize="64"
maxWritePoolSize="16"
messageVersion="Soap11WSAddressing10"
maxBufferSize="65536"
writeEncoding="utf-8">
<readerQuotas maxDepth="32"
maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
</mtomMessageEncoding>
<httpsTransport manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false"
decompressionEnabled="true"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true"
maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm=""
transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true"
requireClientCertificate="true" />
</binding>
</customBinding>
</bindings>
Most of this was auto-generated.
I know I need to set the manualAddressing attribute on httpsTransport to true, but then I get an exception because this setup is in message-level security.
Would anyone know how to switch to transport-level security whilst keeping the rest the same? Since this is a customBinding, the mode attribute on the security element is not available.
thnx a lot, Gait.
BTW, I know how to set the wsa:To in code, but it get's lost on the encode response unless I can move to manual addressing..
Check out the Nicholas Allen's Indigo Blog on Manual Addressing. Summary; not all of the transports support manual addressing. If the option is available on the transport there are 3 steps to make it work.
First, make sure that the transport that you're using supports some form of manual addressing. If not, then you're out of luck in terms of sending messages to different destinations without creating some new object on a per-destination basis. Second, turn on that manual addressing option to prevent the automatic application of addressing headers during message sends. Third, use whatever method you want to apply your own addressing headers to the outgoing message. If you're just making service calls on a proxy, then you'll want to use something like this:
OperationContext.Current.OutgoingMessageHeaders.To = this.replyTo.Uri;
Related
I am using the following binding for my service:
<customBinding>
<binding closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00">
<textMessageEncoding messageVersion="Soap12">
<readerQuotas maxDepth="2147483647" maxBytesPerRead="2147483647" maxArrayLength="2147483647"
maxStringContentLength="2147483647" maxNameTableCharCount="2147483647" />
</textMessageEncoding>
<security authenticationMode="CertificateOverTransport" allowInsecureTransport="true" />
<httpTransport maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647" />
</binding>
</customBinding>
This defaults securityHeaderLayout on the security node to Strict, which requires the Timestamp node in the message to come first. I am working with another part of the corporation that does not use WCF, so the individual with whom I am working is trying to use SoapUI to test the service. SoapUI adds the Timestamp node at the end of the message. This can be moved manually, but, apparently, it gets moved back once you sign the node - so you can either have the node come first, or you can have it signed, but not both.
I've tried setting the security node to use Lax or LaxTimestampLast, but it doesn't seem to make a difference:
<security authenticationMode="CertificateOverTransport" allowInsecureTransport="true" securityHeaderLayout="Lax|LaxTimestampLast" />
When I call with my own (WCF) client using LaxTimestampLast, it fails (MessageSecurityException: Signing without primary signature requires timestamp.). Any direction would be greatly appreciated.
I had this same issue recently and I solved it by setting the messageSecurityVersion in my customBinding to a WSSecurity10 version, it had previously had a WSSecurity11 version. Here is my custom binding that works with both my WCF Client and SoapUI:
<customBinding>
<binding name="CustomBinding">
<security authenticationMode="MutualCertificate"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireDerivedKeys="false" securityHeaderLayout="Lax" />
<textMessageEncoding messageVersion="Soap11" />
<httpsTransport />
</binding>
</customBinding>
I am trying to troubleshoot an issue with my app running at a client's site. The app uses WCF to send and retrieve files.
It was running flawlessly but started to show the following error after the client started running from a different machine in the same network:
The request channel timed out while waiting for a reply after 00:00:57.6797680. Increase the timeout value passed to the call to
Request or increase the SendTimeout value on the Binding. The time
allotted to this operation may have been a portion of a longer
timeout.
All timeouts in the config have been increased to 10min and it made no difference.
Unfortunately I cannot run this locally with VS to debug it.
Here's the binding:
<customBinding>
<binding name="MyServiceSoap12">
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11WSAddressingAugust2004" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<security authenticationMode="UserNameOverTransport" >
<localClientSettings maxClockSkew="00:10:00"/>
<localServiceSettings maxClockSkew="00:10:00"/>
<secureConversationBootstrap>
<localClientSettings maxClockSkew="00:30:00"/>
<localServiceSettings maxClockSkew="00:30:00"/>
</secureConversationBootstrap>
</security>
<httpsTransport manualAddressing="false" maxBufferPoolSize="200000000"
maxReceivedMessageSize="200000000" allowCookies="false" authenticationScheme="Anonymous"
bypassProxyOnLocal="false" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="200000000" proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" requireClientCertificate="false" />
</binding>
</customBinding>
Update: The connectivity to the service is OK - the app runs other service operations without issues, from the same service. One particular operation (that retrieves files) is causing the error.
Where would you start looking?
Thanks!
are you sending a large file?
did you increase the SendTimeout attribute? (I did not see it in your config)
The Background:
I have a Service hosted on IIS 7.0 behind a Load Balancer which decrypts SSL as traffic passes through it.
The security mode required of the Service is Mixed-Mode ie TransportWithMessageSecurity
To enable the Service to accept HTTP traffic whilst allowing clients to communicate to the Load Balancer over SSL, I have created a User Defined Binding, which adds a custom HttpTransportBindingElement to its Channel Stack.
The custom HttpTransportBindingElement in turn asserts to the framework that it is capable of Encrypting and Signing messages...therefore the Framework won't complain when traffic comes in through it via HTTP because the Transport is claiming that it is signing/encrypting the messages...even though its not.
(For all those concerned, this has been determined to be acceptable security wise because the message orginally should have arrived over SSL to the Load Balancer...)
The Problem:
When we use svcutil.exe to generate the client proxy, the resulting auto-generated app.config file contains an endpoint to the service which is addressed over HTTP. This should be over HTTPS.
Additionally the <transport> element within the <customBinding> node is defined as a <httpTransport> element when it needs to be a <httpsTransport> element.
I suspect this is because the WSDL which is generated by the framework on the server, is being built with HTTP addresses instead of HTTPS > in turn, as a result of using the custom HttpTransportBindingElement (as explained above).
The auto-generated app.config for the client:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="myBindingEndpoint">
<!-- WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'http://tempuri.org/': -->
<!-- <wsdl:binding name='myBindingEndpoint'> -->
<!-- <sp:HttpToken xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">..</sp:HttpToken> -->
<security defaultAlgorithmSuite="Default" authenticationMode="CertificateOverTransport"
requireDerivedKeys="true" securityHeaderLayout="Strict" includeTimestamp="true"
keyEntropyMode="CombinedEntropy" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<localClientSettings cacheCookies="true" detectReplays="false"
replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="false" issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128"
maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Default" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
bypassProxyOnLocal="false" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="http://myserver/GAEASSLWcfService/ServiceOverSSL.svc"
binding="customBinding" bindingConfiguration="myBindingEndpoint"
contract="IServiceOverSSL" name="myBindingEndpoint" />
</client>
</system.serviceModel>
</configuration>
The Work-around:
Simply changing the <httpTransport /> to <httpsTransport /> and re-addressing the endpoints to use HTTPS fixes the issue.
But we'd prefer to not have to instruct our service consumers to change their .config files...the use of our service should be as seemless as possible...
The Question:
How can i ensure the client proxies will generate automatically with the correct Addresses and Transport elements???
References:
For those who want to learn about the solution to the 'service behind a load-balancer/ssl decrypter' and the custom HttpTransportBindingElement, see this post XXX by ZZZ regarding building the user defined binding and also this post XXX by ZZZ regarding some of the other issues with exposing Services behind a Load Balancing/SSL accelerator.
I was having the same problem, my WSDL was generated with the http scheme instead of https behind my load balancer.
I've reflected the WCF code and I found a solution that worked, for me though.
In addition to useRequestHeadersForMetadataAddress, you need to turn httpGetEnabled off and httpsGetEnabled on in the serviceMetadata.
Also, if you're using .net 4 like I think you are, instead of adding a custom HttpTransportBindingElement, just use the standard HttpTransportBindingElement and set AllowInsecureTransport on your TransportSecurityBindingElement.
Check out this question. Try to configure:
<serviceBehaviors>
<behavior name="<name>">
<!-- Other options would go here -->
<useRequestHeadersForMetadataAddress>
<defaultPorts> <!-- Use your own port numbers -->
<add scheme="http" port="81" />
<add scheme="https" port="444" />
</defaultPorts>
</useRequestHeadersForMetadataAddress>
</behavior>
</serviceBehaviors>
I have a WCF service that is:
Using the BasicHttpBinding (if you can answer for WsHttpBinding even better!)
Using TransportWithMessageCredential Security
Using X.509 Certificates for Transport and Message security
I would like to be able to test this service with SoapUI.
However, when I attempt to do so it appears that SoapUI signs more of the message than WCF expects, leading to this error (detected in the Application log after enabling ServiceModel auditing):
CryptographicException: Unable to resolve the '#id-100' URI in the signature to compute the digest.
Alternatively, when I use a WsHttpBinding I get the exception:
MessageSecurityException: The message received over Transport security has unsigned 'To' header.
Similar issues have been raised before:
WCF rejects messages with additional signed elements
http://connect.microsoft.com/VisualStudio/feedback/details/481030/wcf-signed-parts
Getting WCF to accept unsigned 'To' Header
This does not strike me as a "Java talking to MS WCF" issue - I have a Java test client working without issue. Likewise, I can use WCFStorm to test the service. However, SoapUI has become a bit of a de facto test standard, particularly for non-Windows consumers.
So, has anyone managed to overcome these issues and test a certificate-secured WCF service using SoapUI?
Thanks
I believe this issue is irresolvable, based on my own testing and a 250 bounty not yielding an answer.
The "web.config" is generated dynamically, but it's effectively matching either of the following bindings:
<wsHttpBinding>
<binding name="WSHttpBinding_ITwoWayAsync" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="250000" maxReceivedMessageSize="250000"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate" proxyCredentialType="None" realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="false"
establishSecurityContext="false"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
<basicHttpBinding>
<binding name="BasicHttpBinding_ITwoWayAsync" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="250000" maxReceivedMessageSize="250000"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate" proxyCredentialType="None" realm="" />
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
This was impossible with SoapUI and I had to use another tool called WCFStorm.
I had exactly the same issue. I haven't it working with BasicHttpBinding but do have it working with WsHttpBinding. I had the error The message received over Transport security has unsigned 'To' header as well. I created a blogpost for solving this issue. Se the blogpost Connect SoapUI to WCF service certificate authentication for more information.
You have to set the parts in the signature. By default SoapUI signs the whole request but that isn’t the default by WCF so we have to set the parts that we want to sign. So add as Name “To”, Namespace “http://www.w3.org/2005/08/addressing” (this is my namespace but check yours) and set Encode to “Element”. Also check the WS-A panel in your request. Check addressing and set the default "To" checkbox.
I have been able to do this with a custom binding in WCF and a PFX certificate file. I had to use a custom binding because I needed to restrict access to one certificate - which is outside the scope of this question. My certificate pfx file had both the public key and the private key. The private key was password protected. I could not get to this work with any other certificate format.
In SoapUI, I go to File -> Preferences -> SSL Settings:
-->Keystore Name: path_to_PFX_file
-->KeyStore password: your_private_key_password
Here are my web.config settings which are pretty much the same as a basicHttpBinding:
<customBinding>
<binding name="MyServiceBindingConfiguration">
<security authenticationMode="UserNameOverTransport" includeTimestamp="false" requireDerivedKeys="false" securityHeaderLayout="Lax" messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<localClientSettings maxClockSkew="00:30:00" />
<localServiceSettings maxClockSkew="00:30:00" />
<secureConversationBootstrap />
</security>
<textMessageEncoding messageVersion="Soap11">
<readerQuotas maxDepth="32" maxStringContentLength="524288" maxArrayLength="524288" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpsTransport requireClientCertificate="true" />
</binding>
</customBinding>
Hope this helps.
I am trying to utilize CRM 2011 deployment service for CRM 2011 management in a custom made vb.net application. Please do not tell me that i should use deployment manager for my operations as i have to develop this custom application tailored to the specific requirements for my organization.
Everything works fine when i use http but when i try to connect call a method of deployment service using SSL (HTTPS is enabled at the server)
Here is my relevant client configurtion for HTTPS/SSL only
<binding name="CustomBinding_IDeploymentServiceHttps">
<security defaultAlgorithmSuite="Default" authenticationMode="SspiNegotiatedOverTransport"
requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true"
keyEntropyMode="CombinedEntropy" protectTokens="false" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSecurityContextCancellation="true">
<localClientSettings cacheCookies="true" detectReplays="false"
replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="false" issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128"
maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Default" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" requireClientCertificate="false" />
</binding>
and
<client>
<!-- Deployment Service Endpoints HTTP,HTTPS-->
<endpoint address="http://10.40.30.20:5555/XRMDeployment/2011/Deployment.svc"
binding="customBinding" bindingConfiguration="CustomBinding_IDeploymentService"
contract="CRM2011DeploymentSvc.IDeploymentService" name="CustomBinding_IDeploymentService">
<identity>
<userPrincipalName value="LAB2010\administrator" />
</identity>
</endpoint>
<endpoint address="https://www.mydomain.com/XRMDeployment/2011/Deployment.svc"
binding="customBinding" bindingConfiguration="CustomBinding_IDeploymentServiceHttps"
contract="CRM2011DeploymentSvc.IDeploymentService" name="CustomBinding_IDeploymentServiceHttps" />
</client>
I am using the following code in my asp.net application
Dim DomainCredentials As New NetworkCredential(ADUserName, ADPassword, DomainNETBIOS)
If CRMDeploymentServiceURl.Trim().ToLower().StartsWith("https://") Then
_CrmDeployService = New DepSvc.DeploymentServiceClient("CustomBinding_IDeploymentServiceHttps")
Else
_CrmDeployService = New DepSvc.DeploymentServiceClient("CustomBinding_IDeploymentService")
End If
_CrmDeployService.ClientCredentials.Windows.ClientCredential = DomainCredentials
_CrmDeployService.Endpoint.Address = New EndpointAddress(New Uri(CRMDeploymentServiceURl))
_CrmDeployService.Endpoint.Binding.CloseTimeout = New TimeSpan(0, 30, 0)
_CrmDeployService.Endpoint.Binding.OpenTimeout = New TimeSpan(0, 30, 0)
_CrmDeployService.Endpoint.Binding.ReceiveTimeout = New TimeSpan(0, 30, 0)
_CrmDeployService.Endpoint.Binding.SendTimeout = New TimeSpan(0, 30, 0)
The above code is used just for initialization of the service. Later on when i call a method using
_CrmDeployService object , everything works fine over http but not over https
Please tell what can i do to communicate to the HTTPS secured Deployment service without using any client certificate. (SSL certificate from DigiCert is already installed on the server and website can be browsed over SSL in any web browser. What other certificate do i need and why?)
Also IIS settings have been done as needed. WCf service is browesable over SSL/https via web browser.) I have tried anonymous authentication as well as authentication via a domain user at the server and handled the same in code as well.
Is there any configuration change that i need to make? Is this a WCF specific issue?. I have tried solutions posted on stackoverflow as well as over msdn but to no avail. I cannot change the server's web.config and i must not use a client certificate but i can use any credentials required for authentication and i must achieve it over SSL. Please help. Thanks
SSL means it will gonna need the certificate. First check by making any example app to check if the WCF is working with ssl or not , because only then it can be assured that the CRM servers is the problem (it is looking for certificate) or worse you failed earlier by the WCF before reaching that point . If WCF is failing you then you have to create a temporary certificate for it .There are plenty help code at the internet here is one to get you started.
http://msdn.microsoft.com/en-us/library/ff648498.aspx
and in your application, use the following binding (play around with the different transport/message security modes if you like):
<basicHttpBinding>
<binding name="basicHttp">
<security mode="TransportWithMessageCredential" >
<transport/>
<message clientCredentialType=”UserName”/>
</security>
</binding>
</basicHttpBinding>
also you have to configure iis. You have to enable https in iis and also assign the certificate i think it is in Directory Security | Server Certificate.
and if it is a silverlight application then it will need some more extra development.
Happy coding Machpanel:)