wcfsslforms-authenticationnet.tcp.net-4.5

WCF net.tcp SSL, certificate and username + password authentication


I want to build a client-server, WPF-WCF application that should fulfill the following requirements:

So I started working on it two days ago and, after going through almost every example/tutorial I could find that got close to my scenario, I managed to build a WCF service with net.tcp binding that is hosted in IIS (8 I think) and exposes its metadata through a mex endpoint and a tiny little client console application that can connect to the service and call its one and only HelloWorld method.

All was well until I started trying to add certificate based security. I tried countless configuration combinations and techniques but still couldn't get anything working.

At first, I got some specific error messages telling me various things about the server or client certificates not being valid, trusted, or good for anything in any way. Then I followed these articles, since I need self-signed certificates while developing.

Then, I started getting more and more vague error messages until I gave up. It might very well be that I misunderstood how WCF works since I don't have that much experience with it.

The configuration that worked is this:

That's, as you can see, the certificate-less configuration. Any step that I take towards using my self-signed certificates within this configuration, breaks the applications.

I use .NetFramework 4.5.1 for everything.

I would very much appreciate help with this problem. I can provide additional configurations I tried, if needed.

Is this even possible or am I trying in vain?

Thank you!


Solution

  • In short, yes, you can support multiple client credentials using what are known as Supporting Tokens.

    From the linked article:

    The example adds an X.509 binary security token in addition to a username security token. The token is passed in a WS-Security message header from the client to the service and part of the message is signed with the private key associated with the X.509 security token to prove the possession of the X.509 certificate to the receiver. This is useful in the case when there is a requirement to have multiple claims associated with a message to authenticate or authorize the sender.

    On the topic of using NetTcpBinding over the internet:

    NetTcpBinding is generally recommended for intranet scenarios. It is advised by much of what I have read to either use WsHttpBinding and BasicHttpBinding for internet scenarios depending on your requirements. If security is a top concern of yours - the recommended choice is WsHttpBinding with Message level security.

    Guidelines on choosing a binding for an internet scenario: Internet Binding Scenarios.