WCF - Encyrption (and possibly authentication) using SSL

Here's my scenario and problem:

• We have a Windows 2008 R2 Server (IIS7)
• SSL Certification
• .NET 4

I tried looking for a good resource online, but most of them are incomplete and different enough from each other that they don't really mix and match. I'm looking to use WCF Services to pass messages from my client/server encrypted. I'm going to implement some custom authentication scheme as well. The authentication scheme will verify the user/pass on the first ti开发者_Python百科me authentication. Then from then on the client will use a randomly generated code as their authentication instead.

From what I gather I need to do the following:

• [ServiceContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)]
• Use WSHttpBinding

Here's where I'm a bit overwhelmed. There are so many sources stating how the config files for the server and client should be that I'm just really confused. What are my server/client config files supposed to look like so that my service sends/receives messages encrypted and can point to a custom authentication?

---

Alternatively, if I can't use this custom authentication as a parameter of the WCF client object, I'll just pass the authentication credentials as part of the message itself as long as the message is encrypted.

If there is an actual, fully complete (i.e. not partial info) resource out there, that would be great. Or, if anyone knows the necessary client/server App.config/Web.config settings to use that would also be great.

---

I believe you want to use HTTPS which will ensure transport level encryption and signing. You need to configure IIS7.5 with SSL certificate first and allow https in the application hosting the service. Check this tutorial but you will use your existing certificate instead of creating self signed. Your certificate should be created for host header of your site (for example mydomain.com) or for the name of your server if exposed directly.

In your service you need basicHttpBinding with Transport security and Message credentials for authentication.

<bindings>
  <basicHttpBinding>
    <binding name="secured">
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>
<behaviors>
  <serviceBehaviors>
    <behavior name="securedService">
    <serviceMetadata httpsGetEnabled="true" />
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom" userNamePasswordValidator="..." />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
<services>
  <service name="..." behaviorConfiguration="securedService">
    <endpoint address="" contract="..." binding="basicHttpBinding" bindingConfiguration="secured" />
    <endpoint address="mex" contract="IMetadataExchange" binding="mexHttpsBinding" />
  </service>
</services>

Client will use similar settings:

<bindings>
  <basicHttpBinding>
    <binding name="secured">
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>
<client>
  <endpoint name="..." address="https://..." contract="..." binding="basicHttpBinding" bindingConfiguration="secured" />
</client>

This configuration defines SOAP 1.1 service conforming secured over HTTPS transport and protected by user name and password. Service also exposes its metadata (WSDL) over HTTPS. User name and password are validated by custom password validator (you have to implement one).

You will set credentials on client (generated by Add service reference):

var client = new MyServiceClient();
client.ClientCredentials.UserName.UserName = "Name";
client.CleintCredentials.UserName.Password = "Password";

Encryption of message is done on transport layer. Credentials must be configured each time you create a new proxy but they are reused for all calls from the proxy.

WsHttpBinding is probably not needed for your scenario. Setting ProtectionLevel is only for message level security - I think it is not what you are looking for.

Don't use custom authentication you described:

The authentication scheme will verify the user/pass on the first time authentication. Then from then on the client will use a randomly generated code as their authentication instead.

It is much more complicated. You will either roll your own solution which will be non standard or you will use WCF's built-in implementation (secure conversation) but not every client SOAP stack is able to consume such service (it is fully dependent on advanced message security).