WCF transport layer security trouble

I don't understand why wcf transport layer security restrict the username/password authentication.

Okay, message encryption at wcf message security model, occurs at TCP/IP Application layer, i mean it encrypts directly the usern开发者_开发问答ame/password using algorithms, and decrypt using the certificate key, and if someone sniff packets using man in the middle atack, if it doesn't have the key to decrypt the user credentials, it fails.

But in what consist the weakness of transport layer security that it restrict the username/password authentication?

Can someone make a man in the middle attack and see user credentials in the message at transport level security?

It is not WCF restriction. It is more like TCP restriction. TCP Transport security is done either:

• By SSL stream where certificates are used to establish trusted secured connection
• By Windows stream where windows security is used to establish trusted secured connection

User name and password itself doesn't provide anything to creating these streams. If you need to pass user name and password over connection with transport security you indeed can but you must use TransportWithMessageCredential security mode! You will have transport layer secured with certificate and user name and password in SOAP header.