Dzmitry Huba

Greeting

I'm working on creation of WCF service with UserName authentication. But due to some restrictions I cannot use certificate to protect transport layer. Unfortunately searches for solution didn't give any results. For now I do understand that somehow WCF infrastructure prevents sending credentials over unprotected transport. I found a workaround here. It uses TransportWithMessageCredentials as security mode and fakes transport's abilities. I'm not sure for now that messages are still encrypted.

So I'm wondering if there is way to construct for example custom binding which will support secure transport with symmetric encryption (both client and service will be given encryption key during deployment)

Thanks in davance for Your reply!



Re: Windows Communication Foundation (Indigo) UserName authentication with secure transport but without certificate

BenK

You cant encrypt messages without a ceritifcate ...

WCF will allow you to send credentials without a secure transport. as the message can be encrypted so the transport is irelevant. You do need certificates however though there is a model where only the server needs a certificate.

Use Message instead of TransportWithMessageCredentials (example with no cleintg certificate ( still need server)

Service

<serviceCredentials>
<serviceCertificate findValue="Contoso.com"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>

Client and service binding

<wsHttpBinding>
<binding name="MessageAndUserName">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>

In terms of secure transports ( ie not message encryption) there are only 2

1) https ( need certifcate)

2) windows security . tcp using Windows security which does not require a certificate.

Regards,

Ben