Has anyone had experience using SSL with net.tcp binding in WCF?
Ive read its possible, but not finding good information on how to implement it. I would love to hear from anyone who knows about or who has implemented this.
Thanks in advance...
Have a look at the contents in this link:
http://msdn.microsoft.com/en-us/library/ms789011.aspx
especially the section on "To use the NetTcpBinding with a certificate for transport security"
Related
I'm new to WCF and IIS.
Suppose I set up a WCF service with wsHttpBinding and Message Security and Windows authentication. Does that mean I don't need to use https on my IIS server? Ie. Is the message secure or isn't it?
Let me know if there is any further information I can provide.
Yes, the message is secure as it will be encrypted and signed by WCF in case of Message security. But make sure you considered all disadvantages of massage security. The most significant are: 1. Poor interoperability. 2. Worse performance compared to transport security.
For more details please refer to this article Message and Transport Security
You will also find the scenarios where it is best to use message security.
start with transport and message security understanding. We will then see simple code samples of how to implement transport and message security using WsHTTP bindings. We will also see the differences between ‘BasicHttpBinding’ and ‘WsHttpBinding’ with the help of a simple code. WCF security is a huge topic by itself, but I am sure with this article you will get a quick start of how to go about WCF security
http://www.codeproject.com/Articles/36732/WCF-FAQ-Part-3-10-security-related-FAQ
What I am looking for is a set of article that can help me understand the basics, so I can be sure of what I am doing.
Methods regarding secure authentification are the most welcome.
Thanks.
see this article about Securing WCF Services with Authentication Service.
also this one on Certificate based Authentication.
take a look at Programming WCF Security in msdn library
Anyone know of any good articles that describe how to accomplish this?
All you would usually have to do is set your binding to use transport security, then have IIS set for SSL. That is assuming your using a standard WCF binding and hosted in IIS.
You can google "wcf transport security" or see the main MSDN article: http://msdn.microsoft.com/en-us/library/ms733043.aspx
There is also this StackOverflow topic 425978/enable-ssl-for-my-wcf-service that shows a snipit of XML configuration.
If there is a more specific issue, then I can try to help further... Custom bindings or being self-hosted take a little more work.
I need to protect my WCF web services and was thinking what is the best way of doing this. Its not really a ROLE / User situation - more of a "WHO CAN CALL THE WEB SERVICE".
I was thinking that i could use an IP? Is this the recommended way?
Anybody have any experience with this, I was thinking of have a table (sql) with all IPs that can access the web service but i didn't want to reinvent the wheel if something exists already.
I presume there is an event or similar when somebody access the webservice so i can check there ip? - Anybody have an example?
And i presume this can be accomplished with standard HTTP binding ?
I would appreciate any input anybody has
You can pretty easily restrict the calling IP's in your service using a service behavior.
There's an excellent CodeProject article including source code that shows how to do this. Since it's WCF and a WCF behavior, it's pluggable, too - you can add or remove it from your service as needed.
Marc
Really depends on the security level of the service. IP addresses alone are quite easily spoofed by a knowledgeable caller, so if it's a service that deals with sensitive information, I'd recommend something a little harder to break, like transport security (eg SSL) with client certificates. Very well supported by WCF and not as scary or expensive to use as you might think, especially if you control both the client and server (that way you can configure the client to ignore the cert's "trusted" status so you don't have to buy a commercial server cert).
I have been tasked to implement a WCF service that makes use of NetMsmqBinding. I wrote the service and it works fine. The problem is that in the last minute they told me that there will be no Active Directory integration. So I don't know how to configure the security of the service. There is a VPN tunnel between the service's and the client's machines but they do not use the same active directory. Please advice. Any kind of help or tutorials would be appreciated.
The problem is that the service is not always online. That is why using WCF over MSMQ is preferred for this scenario. So I am sending one way messages through MSMQ - which works fine. My only problem is that I am new to WCF and am not familiar with WCF security. I would like to be able to sign and encrypt the messages since the information to be sent to the service is confidential. I would like to make sure that only authorized clients call the service. Any suggestions?
I'm not sure I understand your question so correct me, if I'm wrong. I have recently been woring on a WCF service that was hosted on a computer with no Active Directory available. We secured it using certificates. Is it an option for you? It's pretty painless (if you get past the 'put the certificate in the store and give the correct user access to it' part).
You should be able to take advantage of network transparency.
Use webservices to communicate from one system to the other. You might have to deal with extra latency, but it should still be usable.
Well first, you can use WCF's security, the WS-* stuff. Some info here:
http://blogs.msdn.com/motleyqueue/archive/2007/10/06/complementing-msmq-security-with-wcf.aspx
Second, you might find this blog to be helpful:
http://blogs.msdn.com/johnbreakwell/default.aspx
One of the articles there about cross-domain sending mentions this article (Cross-Enterprise Support):
http://msdn.microsoft.com/en-us/library/ms705127(VS.85).aspx
Which might help you configure it in general.
Thank you, Michael, but this information wasn't helpful...
I found this: http://www.codeplex.com/WCFSecurityGuide/Release/ProjectReleases.aspx?ReleaseId=14070 - a book from "Microsoft Pattern & Practices" which describes in detail the security in WCF - a must-read for every WCF developer.