Thursday, February 16, 2012

WCF And Certificate Security

Our application is a messaging system, relying on WCF to send messages around to other computers. We have our WCF services hosted as a Windows Service. The predominate scenario for the use of this system would be on computers within a domain or series of trusted domains and so Windows security seemed to be the easiest way to implement this.

For both netTcpBinding and wsHttpBinding, no security tags were needed, because the defaults were what we wanted. The default for netTcpBinding is Security=”Transport” and clientCredentialType=”Windows”. The default for wsHttpBinding is Security=”Message” and clientCredentialType=”Windows”. This works great between computers on the same domain or on trusted domains.

Well, as luck would have it, our first customer doesn’t trust anybody. The various agencies that needed to “talk” together, don’t have trust between their domains and refuse to grant any trust. So, we were back to square one with trying to figure out how best to handle the security with a deadline looming in 4 short weeks!

We decided that Certificates were the way to go, but  trying to find out how to implement them was a nightmare! Google all you want, but all you’ll find are incomplete examples. We struggled with this for a week. Every time we found something promising, and tried to implement it, there was always some important piece left out of the puzzle and nothing worked. Finally, Gary found this blog:

http://notgartner.wordpress.com/2007/09/06/using-certificate-based-authentication-and-protection-with-windows-communication-foundation-wcf/

Wow! Everything worked! Finally! No missing puzzle pieces! Our thanks go out  to Mitch Denny for his very complete and informative blog post!