[Webinar] Learn how to a build a cloud-first strategyRegister Now


WCF Security - does message security with username credentials require a client certificate?

Posted on 2008-11-18
Medium Priority
Last Modified: 2012-05-05
Hi Experts,

I'm working on a test application to implement and examine the requirements of WCF Security before implementation into a development system. The scenario is as follows:

- Client Server Windows Forms Application
- aspnet Membership Provider - username and password authentication
- WCF Services deployed in IIS 6.0 exposed over the Internet
- VS2008, VB.NET, Windows 2003 Server, SQL Server 2005, Dev on XP

The following link is pretty much the scenario and the guiding force behind what I've been doing so far:


So i'm trying to decide on the security needs and I'm currently trying to get this working in a test app with Message Level security, Username Credentials (aspnet membership) and wsHttpBinding. One design goal is to avoid having to install certificates on the client machines, but i'm not sure if this is possible. I've installed a test service certificate on my development machine and it is working, but i'm not sure if the certificate is acting as both client & server certificate.

I'm a little unsure as to this statement:

"For validating the service certificate, the Root CA certificate is installed on the client machine in the Trusted Root Certification Authorities location."  

If we were to purchase a service certificate from Verisign (other reputable companies are available), would the client require anything installed on their machine, as such companies already appear in trusted CA's? Our fallback position if to go for standard SSL Transport Security, and I'm wondering if I should give up and start looking at it now?

Any help would be greatly appreciated.

Question by:tanneroni
  • 5
  • 3
LVL 13

Expert Comment

ID: 22990662
>>For validating the service certificate, the Root CA certificate is installed on the client machine in the
>> Trusted Root Certification Authorities location."

The Trusted Rood Certificate Authority is located under Control Panel -> Internet Options -> Content -> Certificates.

>> if we were to purchase a service certificate from Verisign (other reputable companies are
>> available), would the client require anything installed on their machine

Yes, the cert will need to be installed on the client. But that's how certification works. It's based on a network of trust. If you don't have the trusted root certificate installed, the client won't be able to verify the authenticity of the 3rd party cert.

Even if you do use SSL, you'll need a a trusted root cert to be installed.

Hope that helps
LVL 13

Expert Comment

ID: 22990678
This might help in your understanding:


Author Comment

ID: 22993056
Hi Kelvin, thanks for your reply.

I have this all working and configured on my development machine, but with self generated certificates. The issue is more to do with live deployment of certificates. If we purchase a service certificate from an already Trusted CA to deploy on the server, the client machines would already trust any certs issued by them, in the same way as SSL right? With SSL the client machine doesn't install a cert but it trusts certs from legitimate CA's. Is this the case with message level security or does it require that a seperate cert must be installed on the client machine?

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 13

Assisted Solution

Kelvin_King earned 300 total points
ID: 22993593
>> Is this the case with message level security or does it require that a seperate cert must be installed >> on the client machine?

Based on the various WCF message security models, yes you can use the cert which was used to establish the SSL connection. You do not require an additional cert.

Here's the security model (with a sample application):

However, there are also security models which do require a cert to be installed on the client.

You might want to have a look at the other models:

Hope that helps
- Kelvin


Accepted Solution

tanneroni earned 0 total points
ID: 23028130
Thanks for feedback, I've resolved my question and concluded that after we purchase a certificate for our service (from an already "Trusted CA"), then no client certificates would be required as Windows OS will already have the "Trusted CA" included to vouch for the server certificates authenticity. So in our scenario with Message Security & Usernama Credentials, we don't require any client side certificate management (installation or revocation).

LVL 13

Expert Comment

ID: 23035286
Glad that you got it solved.

Didn't any of the information I provided help you? I did mention that you wouldn't need a cert installed on the client.

- Kelvin

Author Comment

ID: 23040540
HI Kelvin, I was looking for more concrete evidence on the certificate front and I had already scoured most of msdn (amongst other sites) in the search, hence only awarding a portion of the points. I'm finding with WCF that it's hard to get hold of good examples of how to get specific taks done and only after proving it to myself in test apps am I satisfied. Thanks for your time.
LVL 13

Expert Comment

ID: 23041382
No problem.

Main thing is that you have found what you were looking for.

- Kelvin

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question