Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

WCF, Security and Certificates

Tags:

authentication

certificate

wcf

wcf-security

I have a client/server WCF application that needs some sort of user authentication against a database. The application (both client and server together) is being developed to be sold to dozens of customers, for use on their intranets. We're not too worried about encrypting most of the data moving across the wire, except of course during authentication.

Thinking about WCF security, I keep coming back to the idea that we should be making use of x509 certificates. However, our customers will definitely not want to know about any of the details of having to apply for, purchase and install these certificates.

I'd like to know first of all what the preferred method is of implementing username/password authentication in this scenario. If it will require using certificates, must the customer apply for their own certs from a trusted CA, or can we as the software provider generate certificates for the customer to use?

Really I'm looking for a best practice, with the least friction to our customers.

Thanks!

Edit: I'm using NetTcpBinding, and my server is running as a Windows Service.

like image 621
chris Avatar asked Apr 23 '09 22:04

chris

1 Answers

So username/passwords does not require client certificates as I'm sure you're aware, it simply requires an HTTPS certificate on the server hosting the WCF service - once you have that you can happily use the standard username/password auth bits (WCF will not allow message based authentication without HTTPS).

If you wanted to head down the client certificate root you get the advantage of non-repudiation - you can be sure that the machine sending is who it says it is (unless someone has stolen the certificate, which is less likely than a username and password combination going walk about). You as the software provider could act as your own certificate authority and generate your own client certs (there are a few ways to do this depending on your infrastructure) but then you need to configure the clients to trust your root CA.

If the server and client are running in a domain environment you could use transport security with Windows authentication (you're using tcp binding, so interoperability is out the window anyway!) The added bonus to this is the authentication is transparent and you don't need any certificates anywhere. If you want verfication of the server identity then message security with Windows authentication will do the trick.

like image 129
blowdart Avatar answered Sep 19 '22 23:09

blowdart
Sign in to Comment

Related questions

How does a WCF proxy implement ICommunicationObject if it's methods aren't visible?
Why is my self-hosted WCF service returning 403 Forbidden, rather than 401 Unauthorized?
Why does Type.GetInterfaces() sometimes not return a valid list?
WCF with visual studio 2012
How to create or attach WCF service in existing asp.net web site
How to Remove Back Slashes from JSON Response in C#?
Creating a retry mechanism in MSMQ without WCF
Cancel a long running task over WCF from client
Unity.wcf and InstanceContextMode.Single
How to tell if code is running locally from Visual Studio/Cassini
WCF trouble with Types?
What happens to an asynchronous WCF call when its client disposes or goes out of scope?
MemoryCache and multiple per call WCF services
Different timeouts for different requests to the same WCF service
RazorEngine 3.7.7 - Error when compiling a cached template
.NETCore WCF basicHttpBinding
Lazy Loading with a WCF Service Domain Model?
WCF and System.Configuration namespace
Performance of WCF with net.tcp
Passing an image through WCF and display them in a WPF datagrid

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!