0

I'm configuring a WCF service in the intranet between a client and a server.

I've set it up for wsHttpBinding with TransportWithMessageCredentia without certificate authentication.

Am I correct that service now use ssl/tls and encrypts the messages?

Is this secure or do I need to use certificates too?

wandapong
  • 59
  • 5
  • Possible duplicate of [Is TransportWithMessageCredential without certificate secure enough for a WCF service?](https://stackoverflow.com/questions/10696303/is-transportwithmessagecredential-without-certificate-secure-enough-for-a-wcf-se) – William Xifaras Nov 13 '19 at 18:56
  • So is it secure if the two end points are on an internal network? The client always has to authenticate for each message. – wandapong Nov 13 '19 at 22:00

1 Answers1

0

Yes, we should bind a certificate to the particular port, so as to secure the communication.
https://learn.microsoft.com/en-us/windows/win32/http/add-sslcert
If hosting the service in IIS, we are supposed to add an https binding to the site binding module.
The certificate is used to provide integrity, confidentially, and authentication while SOAP message security provides client authentication.
Therefore, please consider the below configuration. 

WSHttpBinding binding = new WSHttpBinding();
            binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
            binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;

the service base address is https style and authenticates the client with a pair of username/password.
https://learn.microsoft.com/en-us/dotnet/api/system.servicemodel.securitymode?view=netframework-4.8#System_ServiceModel_SecurityMode_TransportWithMessageCredential
Feel free to let me know if there is anything I can help with.

Abraham Qian
  • 7,117
  • 1
  • 8
  • 22