I build a WCF Windows Service and I want connect to it via Internet.
So I was looking for a suitable binding. I decided to use wsDualHttpBinding.
It is working so far if I use securityMode=None in my xml and ProtectionLevel=None in my ServiceContract.
Now I have the problem that I cannot secure the connection between my Service and my Client, because I donĀ“t want anybody to see any details during my Login process.
When I use Message security and ProtectionLevel=EncryptAndSign I cannot access my Service.
Does anybody know where the problem is?
Thanks a lot in advance.
Finally done,
after days of researches I found a suitable solution for my problem.
I decided to use a certificate mechanism. Now I am creating a certificate and I can use message security.
Yes, it was quite an overhead, but it works fine.
Related
this is a similar question but doesn't fit my needs: WCF - Preventing Unauthorized Clients
I have full control over both a WCF Service and a number of clients that connect to this service.
Every client is just a program that doesn't require any username or password.
I want to be totally sure that only my clients will connect and use my WCF Service, is this possible?
My WCF Service uses 2 type of endpoints: netTcpBinding and basicHttpBinding.
Since i'm totally new to this kind of problem i'm googling and finding answer about using certificates, but i don't know if this is the right answer to my problem (and don't know of to use them). If certificates are the only way i'll use all the needed time to understand how to use them :)
Thank you!
Some sort of authentication is required, which sort is very much context dependent.
If you're in a windows domain, I would suggest using those mechanisms. Either way you should probably start here: http://msdn.microsoft.com/en-us/library/ff405740.aspx
I am using WCF services with C#.
I am using the transport security mode by setting the client and service certificates.
In the middle of operation I would like to change the certificates that I am using and use certificates signed by other CA.
Is it possible to change these certificates in the middle of operation without restarting the service host? If so how?
Is it enough if I just call set certificate with other certificate passed:
serviceHost.Credentials.ServiceCertificate.SetCertificate(...)
serviceHost.Credentials.ClientCertificate.SetCertificate(...)
Someone have encountered this problem and resolved it?
I have tested this as a high-availability issue. You can't do it. The service acquires its certificate when the ServiceHost opens and never again.
If your goal is to support HA, you need to put multiple services behind a load-balancer and restart them one-by-one.
You can't change certificates without restarting the web service, unfortunately. I've looked into this extensively. There's no way to do it. Sorry
I'm working on a client-server project implemented using WCF. The clients are deployed on different machines and communicate with services through the internet. I'm relatively new to WCF, and am a bit confused on choosing the appropriate binding for my Web services. The clients need to be authorized to perform operations, however, I'm implementing my own authentication algorithm and trying to avoid Windows authentication for various reasons, but I still need to make sure the message transferred in the channel is encrypted.
Right now I'm using wsHttpBinding with security mode set to Message. Full configuration looks like this:
I've set the authentication type in IIS to Anonymous Authentication to make sure the requests are passed through, and was expecting a service call to fail since MessageClientCredentialType in my binding is explicitly set to Windows. However, when I run the code, the service successfully gets called and returns the expected values. I have a feeling that I'm missing something - why is the call authorized? Can I make sure the message is still encrypted even though authentication type is set to Anonymous? Any help is appreciated.
Edit
To clarify on this, I tested the service with a client deployed to a machine outside the network on a different domain.
This MSDN article kind of sums up a lot of security issues relevant to WCF
http://msdn.microsoft.com/en-us/library/ms733836.aspx
regarding your specific situation,
the negotiateServiceCredential="true" means that you streamline certificate distribution to your clients for message encryption.
This option will only work with windows clients and has some performance problems.
read more here http://msdn.microsoft.com/en-us/library/ff647344.aspx
search the topic "streamline certificate distribution" in this page.
Which account do you use to make the call to the service? Allowing anonymous in IIS lets your request pass through to the service and service should authenticate if your caller has credentials that windows understands (Active directory/NTLM).
In your case, I think you are testing it in your own environment so service responds. Once you deploy it over internet, I doubt your service will allow anybody outside of your domain if you keep clientcredentialtype to windows.
Check these link for securing services on the Internet -
http://msdn.microsoft.com/en-us/library/ms734769.aspx
http://msdn.microsoft.com/en-us/library/ms732391.aspx
I want to add some security to a client(iPhone) - server(c#) application I'm working on, mainly to encrypt messages sent between client and server.
I know i should use SSL but not really sure what the steps i need to do in both client and server to implement it.
Can someone please give me some guidance?
I don't use HTTP protocol, i use my own textual protocol, but any way with HTTP or my own protocol how do i add ssl support? i know that in c# there is SSLStream instead of regular Stream. And on ios there is some stream settings i need to configure, i just don't know how to do it.
Host the application using SSL in IIS, then use HTTPS as the service point. [edit] Don't forget you'll need a cert.
Take the easy approach, which is allowed to go on the App Store without having to go through all the encryption law stuff. Simply use a HTTP server and a client.
C# runs the HTTP server (maybe use IIS to handle that? Maybe C# has its own software for that) and the iPhone simply uses NSURLRequest.
Easy to implement and safe, since you'll benefit from patches from Apple and Microsoft.
Update for the updated question: I did some quick research and this kept popping up: kCFStreamPropertySSLSettings - maybe it helps you. It's apparently something for NSStream that allows it to create SSL connections, or something. I'm afraid I can't help you more than that.
I have recently created an API on my server in PHP, but I have discovered that I shouldn't use my API directly with an API key because sensitive information like that can't be held securly inside an EXE. I did some research and people recommend creating a proxy between the API and your application, but even still that can be broken into.
I was wondering, how can I make my server know if it is being accessed from my C# application, or from another source? The reason why I want to know is to stop potential hackers accessing my gateway and using it themselves.
Thanks
SSL with a login?
There is no way for you to be certain someone is using your application to access a web service. I'm in a similar boat, and the most you can do is ensure the communication channel is secure (SSL) and use a username/password or something similar. You also have to be aware that anything done on the client's computer can be compromised. So much so, that you should pretty much assume that your application will be open source to anyone that wants it.