WCF authentication options:

  • No authentication (even when the client provides credentials, they are ignored)
  • Windows authentication (NTLM in a workgroup or Kerberos in a domain)
  • User name/password
  • X.509 certificate (the service either knows the certificate in advance, either trusts the certificate issuer)
  • Issued token
  • Custom

Security policy

Security policy = set of policy alternatives

Policy alternative = set of policy assertions

Policy assertion = a single capability, property or behavior of the server

Certificate credentials

Server configuration (specify the client will use certificates in the binding; specify the certificate the server will present to the clients to authenticate in a behavior).


<binding name="WsHttpWithClientCertificate" messageEncoding="Mtom">

<security mode="Message">

<message clientCredentialType="Certificate"/>







<behavior name="wcfServiceBehavior">



<authentication certificateValidationMode="PeerTrust"/>


<serviceCertificate findValue="ServerSide" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>






Client configuration (specify the client certificate in the endpoint behavior; add an identity element to the endpoint declaration to ensure the “ServerSide” name is recognized).

<dns value="ServerSide"/>


<behavior name="clientEndpointCertificate">


<clientCertificate storeName="My" storeLocation="LocalMachine"


findValue="ClientCertificateForWcfService" />