0

I apologize for my weak understanding of this topic, and I hope that this question is not too broad.

I would like to develop a .NET 4 intranet application with a WCF service. The client will be a Windows Service (running as SYSTEM). I do not need to authenticate traffic (but would like to), but I do need to encrypt traffic.

My question is: What are my options for encrypting traffic with a WCF service? If the solution relies on Active Directory, can I make that work if my client is running as SYSTEM, and not as an AD user?

If the solution relies on certificates, how can I distribute/generate them?

Eric
  • 5,842
  • 7
  • 42
  • 71

1 Answers1

1

The simplest way that I can think of would be to just use the netTcpBinding for the endpoints of your service. Since this is an intranet application, and I'm assuming you expect all of the clients to be Windows, this binding would provide you the best combination of performance and security with little configuration overhead.

The default security mode of this binding is Transport which means that it's applied to the actual connection the messages travel on, and not the individual messages (though you could configure it that way if you wanted to). From the MSDN on Transport Security:

The NetTcpBinding class uses TCP for message transport. Security for the transport mode is provided by implementing Transport Layer Security (TLS) over TCP. The TLS implementation is provided by the operating system.

See the MSDN for netTcpBinding for more information on how to configure the binding and its available options.

mclark1129
  • 7,532
  • 5
  • 48
  • 84
  • Thanks @Mike, so if I use NetTcpBinding, the encryption "just works"? In order to use `clientCredentialType="Windows" protectionLevel="EncryptAndSign"`, does my application have to be running as an AD user or anything? – Eric Aug 21 '12 at 16:26
  • I believe that `protectionLevel` deals with encrypting and doesn't actually have any effect when using transport security. `Windows` authentication should work fine while running the account as an AD user, and probably when running as the local system account (providing both client and server machines exist on the same domain). I'm no security expert, but I believe that it is a better practice to create users to run your services under so that you have more flexibility in assigning permissions to that user. – mclark1129 Aug 21 '12 at 17:30