WCF Security - does message security with username credentials require a client certificate?

Hi Experts,

I'm working on a test application to implement and examine the requirements of WCF Security before implementation into a development system. The scenario is as follows:

- Client Server Windows Forms Application
- aspnet Membership Provider - username and password authentication
- WCF Services deployed in IIS 6.0 exposed over the Internet
- VS2008, VB.NET, Windows 2003 Server, SQL Server 2005, Dev on XP

The following link is pretty much the scenario and the guiding force behind what I've been doing so far:

http://www.codeplex.com/WCFSecurityGuide/Wiki/View.aspx?title=Ch%2015%20-%20Internet%20%u2013%20Windows%20Forms%20Client%20to%20Remote%20WCF%20Using%20Message%20Security%20%28Original%20Caller%2c%20HTTP%29&referringTitle=Home

So i'm trying to decide on the security needs and I'm currently trying to get this working in a test app with Message Level security, Username Credentials (aspnet membership) and wsHttpBinding. One design goal is to avoid having to install certificates on the client machines, but i'm not sure if this is possible. I've installed a test service certificate on my development machine and it is working, but i'm not sure if the certificate is acting as both client & server certificate.

I'm a little unsure as to this statement:

"For validating the service certificate, the Root CA certificate is installed on the client machine in the Trusted Root Certification Authorities location."  

If we were to purchase a service certificate from Verisign (other reputable companies are available), would the client require anything installed on their machine, as such companies already appear in trusted CA's? Our fallback position if to go for standard SSL Transport Security, and I'm wondering if I should give up and start looking at it now?

Any help would be greatly appreciated.

tanneroni
tanneroniAsked:
Who is Participating?
 
tanneroniConnect With a Mentor Author Commented:
Thanks for feedback, I've resolved my question and concluded that after we purchase a certificate for our service (from an already "Trusted CA"), then no client certificates would be required as Windows OS will already have the "Trusted CA" included to vouch for the server certificates authenticity. So in our scenario with Message Security & Usernama Credentials, we don't require any client side certificate management (installation or revocation).

0
 
Kelvin_KingCommented:
>>For validating the service certificate, the Root CA certificate is installed on the client machine in the
>> Trusted Root Certification Authorities location."

The Trusted Rood Certificate Authority is located under Control Panel -> Internet Options -> Content -> Certificates.

>> if we were to purchase a service certificate from Verisign (other reputable companies are
>> available), would the client require anything installed on their machine

Yes, the cert will need to be installed on the client. But that's how certification works. It's based on a network of trust. If you don't have the trusted root certificate installed, the client won't be able to verify the authenticity of the 3rd party cert.

Even if you do use SSL, you'll need a a trusted root cert to be installed.

Hope that helps
-Kelvin
0
 
Kelvin_KingCommented:
This might help in your understanding:

http://msdn.microsoft.com/en-us/library/aa906279.aspx
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
tanneroniAuthor Commented:
Hi Kelvin, thanks for your reply.

I have this all working and configured on my development machine, but with self generated certificates. The issue is more to do with live deployment of certificates. If we purchase a service certificate from an already Trusted CA to deploy on the server, the client machines would already trust any certs issued by them, in the same way as SSL right? With SSL the client machine doesn't install a cert but it trusts certs from legitimate CA's. Is this the case with message level security or does it require that a seperate cert must be installed on the client machine?

TIA
0
 
Kelvin_KingConnect With a Mentor Commented:
>> Is this the case with message level security or does it require that a seperate cert must be installed >> on the client machine?

Based on the various WCF message security models, yes you can use the cert which was used to establish the SSL connection. You do not require an additional cert.

Here's the security model (with a sample application):
http://msdn.microsoft.com/en-us/library/ms733938.aspx

However, there are also security models which do require a cert to be installed on the client.

You might want to have a look at the other models:
http://msdn.microsoft.com/en-us/library/ms730301.aspx

Hope that helps
- Kelvin

0
 
Kelvin_KingCommented:
Glad that you got it solved.

Didn't any of the information I provided help you? I did mention that you wouldn't need a cert installed on the client.

- Kelvin
0
 
tanneroniAuthor Commented:
HI Kelvin, I was looking for more concrete evidence on the certificate front and I had already scoured most of msdn (amongst other sites) in the search, hence only awarding a portion of the points. I'm finding with WCF that it's hard to get hold of good examples of how to get specific taks done and only after proving it to myself in test apps am I satisfied. Thanks for your time.
0
 
Kelvin_KingCommented:
No problem.

Main thing is that you have found what you were looking for.

- Kelvin
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.