Advertisement

11.18.2008 at 01:17PM PST, ID: 23915867
[x]
Attachment Details

WCF Security - does message security with username credentials require a client certificate?

[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.6
Zones:

Web Services and WCF, Miscellaneous Security, Encryption for Network Security

Tags:

Microsoft, Microsoft Visual Studio 2008, WCF, VS 2008 .NET 3.5, Windows Forms Client to Remote WCF Using Message Security HTTP, VB.NET
Hi Experts,

I'm working on a test application to implement and examine the requirements of WCF Security before implementation into a development system. The scenario is as follows:

- Client Server Windows Forms Application
- aspnet Membership Provider - username and password authentication
- WCF Services deployed in IIS 6.0 exposed over the Internet
- VS2008, VB.NET, Windows 2003 Server, SQL Server 2005, Dev on XP

The following link is pretty much the scenario and the guiding force behind what I've been doing so far:

http://www.codeplex.com/WCFSecurityGuide/Wiki/View.aspx?title=Ch%2015%20-%20Internet%20%u2013%20Windows%20Forms%20Client%20to%20Remote%20WCF%20Using%20Message%20Security%20%28Original%20Caller%2c%20HTTP%29&referringTitle=Home

So i'm trying to decide on the security needs and I'm currently trying to get this working in a test app with Message Level security, Username Credentials (aspnet membership) and wsHttpBinding. One design goal is to avoid having to install certificates on the client machines, but i'm not sure if this is possible. I've installed a test service certificate on my development machine and it is working, but i'm not sure if the certificate is acting as both client & server certificate.

I'm a little unsure as to this statement:

"For validating the service certificate, the Root CA certificate is installed on the client machine in the Trusted Root Certification Authorities location."  

If we were to purchase a service certificate from Verisign (other reputable companies are available), would the client require anything installed on their machine, as such companies already appear in trusted CA's? Our fallback position if to go for standard SSL Transport Security, and I'm wondering if I should give up and start looking at it now?

Any help would be greatly appreciated.

tanneroni
Start your 7 day free trial to see this answer
Answered By: tanneroni
Expert Since: 10/15/2003
Accepted Solutions: 2
tanneroni has been an Expert for 5 years 2 months, during which he has posted 4 comments and answered 2 questions. tanneroni is just one of 286 experts in the Web Services and WCF Zone. 1 expert collaborated on this answer, which was graded an "A" by the asker.
 
 
20081119-EE-VQP-47 - Hierarchy / EE_QW_2_20070628