5

Is there any way to use WCF SSL with NetTcpBinding that would not require a client certificate to be installed on the client machine? (SSL V2 if i'm not mistaken).

we want the server certificate will be in the client's trusted store for authentication and Encrypting its message by the server's public key, which means, only the server machine will hold a private key certificate.

we're using a NetTcpBinding and not customBinding on both sides. If its can bo done, what's the correct configuration for it? (on client & server configs)

Thanks in advance.

here are my wcf Configs.

SERVER CONFIG:



    <configuration>
      <system.serviceModel>
        <bindings>
         <netTcpBinding>
            <binding name="TcpSecureBinding">
            <security mode="Transport">
              <transport clientCredentialType="Certificate"/>            
            </security>
       </binding>
         </netTcpBinding>
       </bindings>
       <behaviors>
         <serviceBehaviors>
           <behavior name="ServiceCredentialsBehavior">          
             <serviceDebug includeExceptionDetailInFaults="True" />
             <serviceMetadata httpGetEnabled="true" />
             <serviceAuthorization 
                 principalPermissionMode="UseWindowsGroups">
             </serviceAuthorization>
          <serviceCredentials>
               <windowsAuthentication includeWindowsGruops="true"            
                                      allowAnonymousLogons="false"/>
               <clientCertificate>
                     <authentication certificateValidationMode="none"/>
               </clientCertificate>
               <serverCertificate
                   findValue="thumbprint"
                   storelocation="LocalMachine"
                   x509FindType="FindMyThumbprint"
                   storeName="My"/>
           </serviceCredentials>
        </behavior>
       </serviceBehaviors>
      </behaviors>
    <services>
        <service behaviorConfiguration="ServiceCredentialsBehavior"
               name="ServiceModel.Calculator">
          <endpoint address="net.tcp://localhost:8040/Calculator"
                  binding="netTcpBinding"
                  bindingConfiguration="TcpSecureBinding"
                  contract="ServiceModel.ICalculator" >
           <identity>
               <dns value="localhost"/>
           </identity>
         </endpoint>
        </service>
     </services>
    </system.serviceModel>
    </configuration>

CLIENT CONFIG:



    <configuration>
      <system.serviceModel>
        <client>
         <endpoint address="net.tcp://localhost:8040/Calculator"
                behaviorConfiguration="endpointCredentialBehavior"
                binding="netTcpBinding" 
                bindingConfiguration="Binding1" 
                contract="ServiceModel.ICalculator">
          <identity>
               <dns value="localhost"/>
          </identity>
          </endpoint>
        </client>
      <behaviors>
        <endpointBehaviors>
          <behavior name="endpointCredentialBehavior">
          </behavior>
         </endpointBehaviors>
       </behaviors>
       <bindings>
         <netTcpBinding>
          <binding name="Binding1">
            <security mode="Transport">
              <transport clientCredentialType="Windows" />
             </security>
          </binding>
          </netTcpBinding>
        </bindings>
     </system.serviceModel>
    </configuration>

im adding my current server & client configs. another questions:

  1. at the authentication level we want the client to authenticate ther server's cert (i think server's public key should be in trustedPeople store) , is this possible?

  2. do you recommend us use Transport Security Or Message?

  3. if we want to authenticate client & server by NTLM (clientCredentialType=Windows) is it can be done in addition to the server's cert authentication or just one of them can be applied? till now, we've used NTLM authentication.

  4. right now im getting exception: "The requested upgrade is not supported by 'net.tcp://servername:8040/**'. This could be due to mismatched bindings (for example security enabled on the client and not on the server)." i understand this error occured because the client is using Windows Security and server in om Certificate, but when im changing client security to Certificate also,im getting an error: "The client certificate is not provided". but i don't want to set client's certificate and thats part of my main problem.

  5. we read that we can use for server's cert authentication this tags:

    
    <identity>
      <certificate encodedValue="encoded certificate"/>
    </identity>

but, i think this authentication by identity is done by an encoded certificate when we preffer that the cert's identification will be performed by searching the server's public key in the client's store (trustedPeople). does this information really true? that this tags of identity are alternative to searching public key in client"s trusted store?

hope you will be able to assist in this manners, thanks again.

Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
AmirT
  • 161
  • 1
  • 2
  • 6

1 Answers1

13

it you are using netTcpBiding and need to use Transport security then you have 3 options, the first option requires service cert, the second requires no cert at all, the third requires both service cert and client cert. for your scenario, you should use option1 that will authenticate the service via it's cert and will proice Confidentiality and Integrity for the messages.

C >> Confidentiality
I >> Integrity
A >> Authentication (That will happen for the client)

1- Option one provide (C + I) no authentication will happen for the client, In this case the TCP SSL (not the HTPS SSL) will be used to provide the C and I, and the service will be 

<!--//Below are the configuration for both the service and the client-->
<netTcpBinding>
    <binding name="TcpSecureBinding">
      <security mode="Transport">
        <transport clientCredentialType="None"></transport>
      </security>
    </binding>
  </netTcpBinding>

also because the TCP SSL will be used then the service must provide a certificate for the client, so you need to install a certificate in the server and conigure the service to use this certificate to prove it's identity, also you need to install the root certificate authority certificate for the service certificate on the client machine (typically in the LocalMachine/Trusted Root Certification Authorities), and the service need to have the below behavior to specify the certificate for the service

<serviceBehaviors>
    <behavior>
      <serviceCredentials>
        <serviceCertificate findValue="localhost"
                            x509FindType="FindByIssuerName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>

2- option two provide (A+ [C + I]), the C and I are optional as you configure via the protectionLevel element. the client auth will be windows auth (Typically will use Windows Stream Security to achieve the A, C and I)

<!--//Below are the configuration for both the service and the client-->
<netTcpBinding>
    <binding name="TcpSecureBinding">
      <security mode="Transport">
        <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"></transport>
      </security>
    </binding>
  </netTcpBinding>

3- option 3 provide (A + C + I), the C and I are not optional and the client authentication will be via client certificate (each client must have his own certificate ), In this case the TCP SSL (not the HTPS SSL) will be used to provide the A, C and I.

<!--//Below are the configuration for both the service and the client-->
<binding name="TcpSecureBinding">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"></transport>
      </security>
    </binding>

also because the TCP SSL will be used then the service must provide a certificate for the client, so you need to install a certificate in the server and conigure the service to use this certificate to prove it's identity, also you need to install the root certificate authority certificate for the service certificate on the client machine (typically in the LocalMachine/Trusted Root Certification Authorities), and the service need to have the below behavior to specify the certificate for the service

<serviceBehaviors>
    <behavior>
      <serviceCredentials>
        <serviceCertificate findValue="localhost"
                            x509FindType="FindByIssuerName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
Mohamed Reda
  • 131
  • 1
  • 3
  • What does the client endpoint configuration need to look like to use the public root CA key only? I've been trying to configure my service with a machine cert signed by the root CA, but when I configure the client to use the root CA the client and server are unable to talk. But when I put the public key of the service machine's cert on the client (and change the "findValue" to that certs name) then it works. What am I doing wrong? – Simon Gillbee Nov 22 '13 at 21:43