OK I am probably getting too far in the weeds with my WCF configuration and can't see the forest through the trees, so I want to checkpoint on security.
I have (2) bindings exposed in a WCF service for options on the client side consuming: netTcpBinding and wsHttpBinding (both fine and working). I have both configured with the default: clientCredentialType="Windows". I have the wsHttpBinding configured to use a SSL certificate and expose the endpoint via https (I want this), and also have an SSL cert configured for the netTcpBinding to use SSL over TCP (I want this too).
Here is where I keep getting mixed information. Apparently "Transport" security is inheriently secure. Does this mean I do not need a SSL cert then if I want to secure the Transport layer?
I had to do a lot of reading between multiple articles to get the details I was looking for from my original post. The information that helped things to clear up a bit for me was the following:
Each protocol (TCP, HTTP, MSMQ, NamedPipes) has its own mechanism for passing credentials and handling message protection.
Above is from the WCFSecurityGuide
Coming from a primarily web background I have a pretty good understanding of HTTP and securing it with a SSL cert. However this exact procedure is not required in a Windows environment for net.tcp which uses its own method in Windows to secure the transport layer.
So when it gets down to it, here are the (2) explinations in regards to securing a HTTP binding and net.tcp in a Windows environment that I wanted to understand:
For net.tcp: The service and clients are authenticated using Windows authentication, and the messages are secured at the transport level by Windows security
For a HTTP binding (i.e. wsHttpBinding): When using HTTP bindings, the transport security is provided by SSL. The SSL certificate is used to provide the message protection.
So I will not need a SSL cert for the net.tcp binding as that is handled by Windows Security and is inheriently secure when using Transport security. When using a wsHttpBinding I will still need to secure the Transport with a SSL certificate which I had done as mentioned previously, and exposed the binding via HTTPS.
If any future readers have similar questions the WCF guide link I posted and the link below are a good place to start:
Common WCF Security Scenarios:
http://msdn.microsoft.com/en-us/library/ms730301.aspx
In this setup, "Transport" security is how you tell WCF that you really want it to use SSL. In order for SSL to work you need a server certificate that the client can verify (either from a signing authority or a self-signed one that you install on the client).
So you've got it right. :)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With