WCF Security is very import when exposed to outside world. To enable Business to Business service it is always better to go with certificate authentication.
Introduction
Security is one of the key in WCF service configuration. WCF supports two modes of security modes
1. Transport
2. Message
Transport security secures the entire communication channel. Mainly used for point to point communication scenarios. There will be not intermediate handler in this scenario. So the entire communication channel is secured by using SSL.
Transport security offers many modes for authenticating client through Windows, HTTP NTLM and x509 Certificate. But for B2B scenarios Certificate Authentication is the industry standard.
Configuring this scenario requires knowledge on
1. WCF Security Settings
2. IIS / SSL
3. X509 Certificate Validation Process
We will go through wsHttpBindning because that is the default binding used in Internet Scenario
WCF Security Settings
· All bindings are supported in this mode except wsDualHttpBinding
· SSL Request mode will be enabled and Server Certificate details are used to validate the request
IIS / SSL
. Server Certificate is binded in IIS. Subject name should be the same as server name to avoid issues
. Set Require SSL setting in IIS to allow users having proper certificate
X509 Certificate Validation Process
. Client is validate with a x509 Certificate
. Root Certificate Authority(CA) of the client certificate should be part of trusted Authority in server trusted store
. Chain Validation is the default validation process. Certificate is validated based on CA
. In WCF Code all Auhentication details are stored in Claims collection which can be used to validate certificates agains custom data or for authrization purpose
.... More update coming soon.....
Conclusion
x509 certificate enhances the service security model in B2B scenarios.