0

WCF Transport security over NetTcpBinding is based on TLS-over-TCP. In my understanding TLS-over-TCP needs a certificate for TLS handshaking to exchange a shared secret.

While in Windows workgroup, NTLM provides mechanism to exchange a shared secret based on user credential.

My question is: when the following is used:

  1. security mode: Transport
  2. clientCredentialType="Windows"
  3. NetTcpBinding
  4. in Windows workgroup environment (NTLMv2 is used?)

is a server certificate needed for encryption?

Please also point out if my understanding is incorrect. Additional reading links are appreciated too.

sz9
  • 33
  • 6

1 Answers1

0

Yes, you must have a server certificate.

NTLMv2 will protect the credentials, but the HTTP "session" is easily hijacked and also used to attack other systems, via NTLM relay.

markgamache
  • 436
  • 2
  • 6
  • Thank you for the response. There is no HTTP involved in setting when nettcpbinding is used. – sz9 Jun 11 '14 at 15:38
  • Some experiment: when clientCredentialType is "Windows", the service can start without service certificate. When clientCredentialType is "None", the service complained for missing certificate at startup. My guess is that when Windows authentication is used, NTLM (SSPI) provides session key for data encryption. But I am not sure... – sz9 Jun 11 '14 at 15:55