Is it possible to use both Transport security (HTTPS, authentication with a Client cert) in addition to message-level encryption via configuration in WCF? Is this done with wsHttpBinding out-of-the-box?
I am attempting to accomplish this with a custom binding, but am unable to tell if the requests are being encrypted at the message level because they appear as plain text in the trace logs.
I've done quite a bit of research but can't seem to find any solid answers. Any help is appreciated!
Yes, it's possible to have both as described in this MSDN article. The article is pretty thorough & detailed but the crux of enabling this functionality is this setting:
<!-- snipped -->
<wsHttpBinding>
<binding name="wsHttp">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate"
negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
<!-- snipped -->
Related
I am trying to add WCF service with wsHttpBinding to soapUI.
I am using message security and it works with test client but SoapUI returns
An error occurred when verifying security for the message
Here is service configuration:
<wsHttpBinding>
<binding name="wsHttpSecure">
<security mode="Message">
<message clientCredentialType="UserName" negotiateServiceCredential="true"
establishSecurityContext="false" algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
Here http://www.soapui.org/SOAP-and-WSDL/applying-ws-security.html is a document but they say I need .jks file. I only have encoded public key value generated by SvcUtil in test client configuration file.
after a lot of research I found a solution on a blog.
You need to check the WS-A:To checkbox, located on the WS-A options tab.
After doing that, my problem was solved.
This is the blog containing the solution. Thanks David!!
this setting is not interoperable with soapUI:
negotiateServiceCredential="true"
change it to false
I am creating a web service that will be consumed by a single client in another part of the world. I don't have any knowledge or control over the technology they are using but have been asked to
"use SSL to encrypt the message during transport and use UsernameToken
for client authentication"
I'm planning to use WCF4 to create the service and know generally how to set this all up. However I'm struggling to find the correct configuration for bindings etc. Google gives me lots of results around WSE 3.0 but I'm pretty sure (please correct me if I'm wrong) that I shouldn't be using WSE for a WCF service.
This article initially seems to suggest I should be using a custom binding but then also says I should "consider using the WCF system-defined bindings with appropriate security settings instead of creating a custom binding". However I can't see any examples of what this should be.
I would be grateful if anyone can point me in the right direction.
tl;dr: What are the WCF4 config settings to support SSL and UsernameToken?
Take a look at the WsHttpBinding. You can use a security mode of TransportWithMessageCredential to use SSL and a message credential of UserName. If you are hosting in IIS set up SSL there.
You can set up the binding in config as follows.
<bindings>
<wsHttpBinding>
<binding name="secureBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
You can then use this binding config as follows
<services>
<service name="ServiceName">
<endpoint address="" binding="wsHttpBinding" contract="ContractType" bindingConfiguration="secureBinding" />
</service>
</services>
Both these elements are children of the system.serviceModel element in config.
I have a wsHttpBinding like this
<wsHttpBinding>
<binding name="binding1">
<security mode="Message" >
<message clientCredentialType="Windows" negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
If only NTLM is available,
Is this mean WCF will send client's credential through SOAP message?
Is this configuration compatible with ws-security?
Thanks
Both your questions are answered with a YES. Please read http://www.codeproject.com/KB/WCF/HttpBinding.aspx for details:
As WsHttBinding supports WS-*, it has WS-Security enabled by default. So the data is not sent in plain text.
I'm reading a book on Wcf. I always get confused when there is topic on binding configuration. Eg. In one chapter for securing service in internet environment, author used the following code in the config file.
<bindings>
<wsHttpBinding>
<binding name="ProductsServiceWSHttpBindingConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None"/>
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
Everything works fine as described in the book. But I don't see any description in book, why TransportWithMessageCredential is used in place of Transport. Similarly why the <transport ... is None and <message ... is not None. Is there any matrix (or any other way to figure out) about which options to use with which binding (and in which environment)? My hunch is that certain options will go with certain binding. Thanks in advance.
Yep, here's a few:
http://msdn.microsoft.com/en-us/library/ms730879.aspx
http://mkdot.net/blogs/dejan/archive/2008/03/31/wcf-binding-decision.aspx
http://architectopia.blogspot.com/2008/01/wcf-binding-decision-chart.html
I know this question is already been answered however heres are some thoughts for those who are looking for quick answer.
TransportWithMessageCredential is basically saying that the transmission is over https (secure) and the username and password will be in security header.
"Client authentication is performed by putting the client credential directly in the message. This allows you to use any credential type that is supported by the message security mode for the client authentication while keeping the performance benefit of transport security mode."
http://msdn.microsoft.com/en-us/library/aa354508.aspx
This article from Microsoft details how to implement transport security with an anonymous client.
http://msdn.microsoft.com/en-us/library/ms729789.aspx
I'd like to know if it is possible to achieve the same goal, using netTcpBinding instead of WsHttpBinding and hosting the service as a Windows Service.
Yes, I don't see any reason why this wouldn't work over netTcp Binding. By default, netTcp is using transport level security already, but also Windows credentials. Just turn those off, and you should be good to go.
<bindings>
<netTcpBinding>
<binding name="SecureNetTcp">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>
I've never done it, but can't you just set the Client Authentication to None?