Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to configure security when calling WCF Service from .Net 2.0 Client

I have a WCF service up and running and am able to communicate between the service and a .Net 2.0 Client using basicHttpBinding.

I now need to lock down the WCF service so that it can only be called by authenticated clients.

I have control over the clients that will be calling my service. The clients are part of a product that will be installed in the wild and "phoning home" to push and pull data. The client app is written for .Net 2.0 framework and cannot be upgraded to 3.0 or 3.5 at this time. I cannot add windows user accounts to the client machines.

What are my options for securing the WCF Service and being able to authenticate from my .Net 2.0 clients? Also, data needs to be passed over https.

I've been searching the web, and feel like I'm on a wild goose chase.

like image 607
JasonS Avatar asked Oct 24 '08 04:10

JasonS


People also ask

How do I provide security to WCF?

To secure an application that runs exclusively on a Windows domain, you can use the default security settings of either the WSHttpBinding or the NetTcpBinding binding. By default, anyone on the same Windows domain can access WCF services. Because those users have logged on to the network, they are trusted.

What is security implementation in WCF How many are there?

A WCF service boasts of a robust security system with two security modes or levels so that only an intended client can access the services.

What is WCF security?

Windows Communication Foundation (WCF) is a SOAP message-based distributed programming platform, and securing messages between clients and services is essential to protecting data.


1 Answers

You can configure a WCF endpoint to use 2-way SSL authentication. That means that you can require clients to present an X.509 certificate that confirms their identity whenever they make a request to the service.

On the server side of things, you can use one of the built-in validation schemes in WCF or provide your own validation logic to check the X.509 certificate.
If you were hosting your service in IIS, it would be trivial to configure SSL to require client certificates at the transport-level. However, you can find a good guide on how to implement this behaviour in a self-hosted WCF service here:

http://leastprivilege.com/2007/08/25/certificate-based-authentication-and-wcf-message-security/

I haven't tried this myself but, since this creates a security requirement at the message-level, I think you will have to use wsHttpBinding to enforce it in your WSDL contract, since imposing security requirements to access a web service is part of the WS-* standards.

If you have to use basicHttpBinding, you can try this solution instead that moves things up at the transport-level:

http://leastprivilege.com/2007/08/26/certificate-based-authentication-and-wcf-mode-independent/

Hope this helps

like image 92
Enrico Campidoglio Avatar answered Sep 22 '22 06:09

Enrico Campidoglio