WCF authentication options:

  • No authentication (even when the client provides credentials, they are ignored)
  • Windows authentication (NTLM in a workgroup or Kerberos in a domain)
  • User name/password
  • X.509 certificate (the service either knows the certificate in advance, either trusts the certificate issuer)
  • Issued token
  • Custom

Security policy

Security policy = set of policy alternatives

Policy alternative = set of policy assertions

Policy assertion = a single capability, property or behavior of the server

Certificate credentials

Server configuration (specify the client will use certificates in the binding; specify the certificate the server will present to the clients to authenticate in a behavior).


<wsHttpBinding>

<binding name="WsHttpWithClientCertificate" messageEncoding="Mtom">

<security mode="Message">

<message clientCredentialType="Certificate"/>

</security>

</binding>

</wsHttpBinding>

...

<behaviors>

<serviceBehaviors>

<behavior name="wcfServiceBehavior">

<serviceCredentials>

<clientCertificate>

<authentication certificateValidationMode="PeerTrust"/>

</clientCertificate>

<serviceCertificate findValue="ServerSide" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>

</serviceCredentials>

</behavior>

&nbsp;

</serviceBehaviors>

</behaviors>

Client configuration (specify the client certificate in the endpoint behavior; add an identity element to the endpoint declaration to ensure the “ServerSide” name is recognized).


<endpoint>
...
<identity>
<dns value="ServerSide"/>
</identity>
</endpoint>

<endpointBehaviors>

<behavior name="clientEndpointCertificate">

<clientCredentials>

<clientCertificate storeName="My" storeLocation="LocalMachine"

x509FindType="FindBySubjectName"

findValue="ClientCertificateForWcfService" />

</clientCredentials>

</behavior>

</endpointBehaviors>

Advertisements