1

We have a WCF service with netTCPBinding hosted in a windows service, this service connects to ContentManager server to upload documents and add some metadata, retrieve the documentID and passes it to a .Net Application, the clients are authenticated using windows authentiation. We wrote a WCF client library to be used as a proxy by other line of business applications which wants to upload documents by just referencing this dll. All this works fine as long as the client apps are within the intranet domain.

Now there is a requirement to use this service by an web app accessed via mobile phones, the mobile application accesses a legacy asmx webservice which references the proxy to connect to the WCF service which in turn talks to another backend wcf service and uploads to content manager, the asmx webservice is hosted in servers outside of current domain in DMZ and there is no trust between the corporate domain and DMZ, we opened the necessary ports on both the servers, but since the client credentialtype is windows, it throws "The remote server did not satisfy the mutual authentication requirement." which is expected. Now we want to use the nettcpbinding for obvious reasons of performance since documents are scanned and sent via mobilephones from remote locations, and also with very little time rewriting this is not an option. In the articles i read and the discussions here most of them suggest against using netTCPBinding for this scenario, and a few tried and implemented this using certficates,

my questions are

  1. For the scenarios i mentioned above does using Certficates to autheticate clients the right approach?
  2. How should i handle security, right now declarative impersonation is used on almost all operations, if i have to change security how can i do it without impacting other applications using the service.

I have not worked on certficates before so a guidance with respect to the scenario will also be of great help.

Middler
  • 11
  • 1
  • So you want to "impersonate" clients from mobile devices or is it enough to have single identity for all of them (= identity for web application)? The first option probably means really big changes either in your application or network architecture. – Ladislav Mrnka Oct 26 '11 at 19:50
  • mobile clients talk to a webservice which talks to another application maintained by a vendor for thier logins, we dont have any issues there, the webservice which is in DMZ needs to talk to WCF service within corporate domain which is where the issue is, clearly windows authentication is not an option here and the WCF is written to do that only. – Middler Oct 27 '11 at 13:20
  • Why would you need to rewrite anything? You can add another binding to the same service, simply through configuration. – John Saunders Oct 27 '11 at 19:26
  • yeah, that is my thought process too, i would add another endpoint to the same service but instead of windows authentication use certificates to autheticate clients, but will this work with netTCPBinding and transport security, i assume i have to create a certficate at service end, what about the client? – Middler Oct 27 '11 at 20:00
  • I'm kind of confused with where to setup the certficates, whether i should configure a port or configure the IIS, since the service is self hosted in a windows service i believe it has to be ports, how do i configure certficates at the service end and how to download certficaes at the client end, what are the configurations at the service end and client end, these are some of the questions which i dont have clear answers or guidance – Middler Oct 28 '11 at 14:03
  • Have you thought about using ASP.NET Identity from your DMZ webservice to your WCF. check this link out I think it is quite close to what your are trying to achieve http://wcfsecurityguide.codeplex.com/wikipage?title=Ch%2014%20-%20Internet%20%e2%80%93%20Web%20to%20Remote%20WCF%20Using%20Transport%20Security%20%28Trusted%20Subsystem%2c%20TCP%29&referringTitle=Home – Surjit Samra Oct 28 '11 at 16:13
  • the webservice itself directly does not call the WCF directly, i have a WCF client library which is referenced by the Webservice and i dont have a Sql server for authetication and authorization as previously we used windows authentication for all our security – Middler Oct 28 '11 at 16:23

0 Answers0