This article from Microsoft details how to implement transport security with an anonymous client.
http://msdn.microsoft.com/en-us/library/ms729789.aspx
I'd like to know if it is possible to achieve the same goal, using netTcpBinding instead of WsHttpBinding and hosting the service as a Windows Service.
Yes, I don't see any reason why this wouldn't work over netTcp Binding. By default, netTcp is using transport level security already, but also Windows credentials. Just turn those off, and you should be good to go.
<bindings>
<netTcpBinding>
<binding name="SecureNetTcp">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>
I've never done it, but can't you just set the Client Authentication to None?
Related
I have a WCF service hosted on IIS that is working perfectly well over https with SSL. It has the following simple binding setup...
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding maxBufferSize="524288"
maxBufferPoolSize="1048576"
maxReceivedMessageSize="524288">
<readerQuotas maxStringContentLength="262144" maxArrayLength="65536" />
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>
Is it possible to have another basicHttpBinding but without the security mode so that clients can connect with http or https. Do I just copy and paste the binding and remove the security mode on the copy? Or will that cause confusion because there are two bindings of the same type but they do not have names?
You have to create another binding and add an additional endpoint to use the binding without security. A binding is only a description HOW an endpoint should be created, but the binding configuration does not open any endpoints. You can have many endpoints using the same binding, but only one binding per endpoint.
I have a service that uses wsHttpBinding security mode="Message" message clientCredentialType="Windows" negotiateServiceCredential="false" establishSecurityContext="false" .
When a client calls the service, on the service side I can use ServiceSecurityContext context = OperationContext.Current.ServiceSecurityContext; in order to get the callers credentials.
However, now I need a Java client to call this service. Apparently, wsHttpBinding does not interop easily w/Java (I thought that was the whole point of services). So I need to change the binding to basicHttpBinding to get the interop, but now OperationContext.Current.ServiceSecurityContext returns null.
I have tried mutliple combinations from posts I have seen, but all the post are slightly different and did not work for me.
I am hoping that someone smarter than I can resolve this once and for all.
Here are the requirements:
1.)Basicbinding needs to be used.
2.)OperationContext.Current.ServiceSecurityContext needs to be populated automatically and retrieved on server side like it is with wsHttpBinding.
Here are the basic bindings I used among others..
<basicHttpBinding>
<binding name="CustomBasicBinding"
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
Is it possible?
Thanks in advance
I am creating a web service that will be consumed by a single client in another part of the world. I don't have any knowledge or control over the technology they are using but have been asked to
"use SSL to encrypt the message during transport and use UsernameToken
for client authentication"
I'm planning to use WCF4 to create the service and know generally how to set this all up. However I'm struggling to find the correct configuration for bindings etc. Google gives me lots of results around WSE 3.0 but I'm pretty sure (please correct me if I'm wrong) that I shouldn't be using WSE for a WCF service.
This article initially seems to suggest I should be using a custom binding but then also says I should "consider using the WCF system-defined bindings with appropriate security settings instead of creating a custom binding". However I can't see any examples of what this should be.
I would be grateful if anyone can point me in the right direction.
tl;dr: What are the WCF4 config settings to support SSL and UsernameToken?
Take a look at the WsHttpBinding. You can use a security mode of TransportWithMessageCredential to use SSL and a message credential of UserName. If you are hosting in IIS set up SSL there.
You can set up the binding in config as follows.
<bindings>
<wsHttpBinding>
<binding name="secureBinding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
You can then use this binding config as follows
<services>
<service name="ServiceName">
<endpoint address="" binding="wsHttpBinding" contract="ContractType" bindingConfiguration="secureBinding" />
</service>
</services>
Both these elements are children of the system.serviceModel element in config.
I have a web service and we're currently hosting it in a HTTPS site.
My binding is this.
<wsHttpBinding>
<binding maxReceivedMessageSize="2000000" >
<readerQuotas maxStringContentLength="2147483647" />
<security mode="Transport">
</security>
</binding>
</wsHttpBinding>
And it seems to work well. But my main aim is to make sure the web service requests and responses are encrypted. I don't know much about web services but is that all there is to it?
Just use HTTPS and put this line in your configuration?
<security mode="Transport">
</security>
Or is there more to it? How can I know if the message's sent are encrypted or not?
Yes that's all. The mode Transport demands transport level security which in your case means HTTPS. If you want to see that messages are encrypted you must use some network monitoring tool (Fiddler, WireShark, etc.)
I have a WCF service hosted in a Windows Service. Clients from various platforms will access the service. Now I would like to add a basic security mechanism. Ideally, the clients should use username/password for authentication.
Which binding settings do I have to use in this scenario and how can I authenticate the client? Interoperability is more important than a very secure solutions. If possible the client should not be forced to use a certificate or something the like. Additionally, authentication should not be strongly coupled with a SQL Server database. I would like to manually inspect the client credentials.
Thanks for your help
The best for your case can be BasicHttpBinding with security set to TransportWithMessageCredentials and credential type set to UserName. In this case your service will be secured with HTTPS (requires server certificate for SSL which has to be trusted on clients) and authentication will be provided on message level with UserName Token Profile (SOAP header). You can implement your own password validator.
BasicHttpBinding configuration skeleton:
<bindings>
<basicHttpBinding>
<binding name="Secured">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
</bindings>
If you don't want to use HTTPS you can create custom binding with HttpTransport, TextMessageEncoding and with security mode set to UserNameOverTransport. But you have to set allowInsecureTransport to true (be aware that there is some bug with WSDL generation in this setting).
Custom binding configuration skeleton:
<bindings>
<customBinding>
<binding name="Secured">
<security authenticationMode="UserNameOverTransport" allowInsecureTransport="true" />
<textMessageEncoding messageVersion="Soap11" />
<httpTransport />
</binding>
</cutomBinding>
</bindings>
See the Internet section of the Application Scenarios for guides on how to achieve this:CodePlex Application Scenarios