Anyone know of any good articles that describe how to accomplish this?
All you would usually have to do is set your binding to use transport security, then have IIS set for SSL. That is assuming your using a standard WCF binding and hosted in IIS.
You can google "wcf transport security" or see the main MSDN article: http://msdn.microsoft.com/en-us/library/ms733043.aspx
There is also this StackOverflow topic 425978/enable-ssl-for-my-wcf-service that shows a snipit of XML configuration.
If there is a more specific issue, then I can try to help further... Custom bindings or being self-hosted take a little more work.
Related
I'm new to WCF and IIS.
Suppose I set up a WCF service with wsHttpBinding and Message Security and Windows authentication. Does that mean I don't need to use https on my IIS server? Ie. Is the message secure or isn't it?
Let me know if there is any further information I can provide.
Yes, the message is secure as it will be encrypted and signed by WCF in case of Message security. But make sure you considered all disadvantages of massage security. The most significant are: 1. Poor interoperability. 2. Worse performance compared to transport security.
For more details please refer to this article Message and Transport Security
You will also find the scenarios where it is best to use message security.
start with transport and message security understanding. We will then see simple code samples of how to implement transport and message security using WsHTTP bindings. We will also see the differences between ‘BasicHttpBinding’ and ‘WsHttpBinding’ with the help of a simple code. WCF security is a huge topic by itself, but I am sure with this article you will get a quick start of how to go about WCF security
http://www.codeproject.com/Articles/36732/WCF-FAQ-Part-3-10-security-related-FAQ
What I am looking for is a set of article that can help me understand the basics, so I can be sure of what I am doing.
Methods regarding secure authentification are the most welcome.
Thanks.
see this article about Securing WCF Services with Authentication Service.
also this one on Certificate based Authentication.
take a look at Programming WCF Security in msdn library
I have several WCF wsHttp services using Transport security over an SSL connection. Presently I use "Windows" for the clientCredentialType and all has worked fine with exception of one scenario where my e-commerce site (its own SSL) had a problem communicating with the other server via SSL and I had to create a separate service and use Basic for the clientCredentialType.
I don't want anonymous connections so I have Basic and Windows Authentication enabled in IIS 7.5 on the WCF service site.
Is one better than the other regarding security? Windows vs. Basic? If not then it seems like I should just change everything to Basic and then I can eliminate my duplicated service configuration for the e-commerce issue.
I don't use ActiveDirectory and I just wanted to minimize all risk of someone sniffing the calls. Anyone have an opinion on the clientCredentialType setting I should use?
Thank you.
I ended up going with Basic per some other articles I read on this topic.
Has anyone had experience using SSL with net.tcp binding in WCF?
Ive read its possible, but not finding good information on how to implement it. I would love to hear from anyone who knows about or who has implemented this.
Thanks in advance...
Have a look at the contents in this link:
http://msdn.microsoft.com/en-us/library/ms789011.aspx
especially the section on "To use the NetTcpBinding with a certificate for transport security"
I have been tasked to implement a WCF service that makes use of NetMsmqBinding. I wrote the service and it works fine. The problem is that in the last minute they told me that there will be no Active Directory integration. So I don't know how to configure the security of the service. There is a VPN tunnel between the service's and the client's machines but they do not use the same active directory. Please advice. Any kind of help or tutorials would be appreciated.
The problem is that the service is not always online. That is why using WCF over MSMQ is preferred for this scenario. So I am sending one way messages through MSMQ - which works fine. My only problem is that I am new to WCF and am not familiar with WCF security. I would like to be able to sign and encrypt the messages since the information to be sent to the service is confidential. I would like to make sure that only authorized clients call the service. Any suggestions?
I'm not sure I understand your question so correct me, if I'm wrong. I have recently been woring on a WCF service that was hosted on a computer with no Active Directory available. We secured it using certificates. Is it an option for you? It's pretty painless (if you get past the 'put the certificate in the store and give the correct user access to it' part).
You should be able to take advantage of network transparency.
Use webservices to communicate from one system to the other. You might have to deal with extra latency, but it should still be usable.
Well first, you can use WCF's security, the WS-* stuff. Some info here:
http://blogs.msdn.com/motleyqueue/archive/2007/10/06/complementing-msmq-security-with-wcf.aspx
Second, you might find this blog to be helpful:
http://blogs.msdn.com/johnbreakwell/default.aspx
One of the articles there about cross-domain sending mentions this article (Cross-Enterprise Support):
http://msdn.microsoft.com/en-us/library/ms705127(VS.85).aspx
Which might help you configure it in general.
Thank you, Michael, but this information wasn't helpful...
I found this: http://www.codeplex.com/WCFSecurityGuide/Release/ProjectReleases.aspx?ReleaseId=14070 - a book from "Microsoft Pattern & Practices" which describes in detail the security in WCF - a must-read for every WCF developer.