WCF Security - does message security with username credentials require a client certificate?

Hi Experts,

I'm working on a test application to implement and examine the requirements of WCF Security before implementation into a development system. The scenario is as follows:

- Client Server Windows Forms Application
- aspnet Membership Provider - username and password authentication
- WCF Services deployed in IIS 6.0 exposed over the Internet
- VS2008, VB.NET, Windows 2003 Server, SQL Server 2005, Dev on XP

The following link is pretty much the scenario and the guiding force behind what I've been doing so far:


So i'm trying to decide on the security needs and I'm currently trying to get this working in a test app with Message Level security, Username Credentials (aspnet membership) and wsHttpBinding. One design goal is to avoid having to install certificates on the client machines, but i'm not sure if this is possible. I've installed a test service certificate on my development machine and it is working, but i'm not sure if the certificate is acting as both client & server certificate.

I'm a little unsure as to this statement:

"For validating the service certificate, the Root CA certificate is installed on the client machine in the Trusted Root Certification Authorities location."  

If we were to purchase a service certificate from Verisign (other reputable companies are available), would the client require anything installed on their machine, as such companies already appear in trusted CA's? Our fallback position if to go for standard SSL Transport Security, and I'm wondering if I should give up and start looking at it now?

Any help would be greatly appreciated.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

>>For validating the service certificate, the Root CA certificate is installed on the client machine in the
>> Trusted Root Certification Authorities location."

The Trusted Rood Certificate Authority is located under Control Panel -> Internet Options -> Content -> Certificates.

>> if we were to purchase a service certificate from Verisign (other reputable companies are
>> available), would the client require anything installed on their machine

Yes, the cert will need to be installed on the client. But that's how certification works. It's based on a network of trust. If you don't have the trusted root certificate installed, the client won't be able to verify the authenticity of the 3rd party cert.

Even if you do use SSL, you'll need a a trusted root cert to be installed.

Hope that helps
This might help in your understanding:

tanneroniAuthor Commented:
Hi Kelvin, thanks for your reply.

I have this all working and configured on my development machine, but with self generated certificates. The issue is more to do with live deployment of certificates. If we purchase a service certificate from an already Trusted CA to deploy on the server, the client machines would already trust any certs issued by them, in the same way as SSL right? With SSL the client machine doesn't install a cert but it trusts certs from legitimate CA's. Is this the case with message level security or does it require that a seperate cert must be installed on the client machine?

Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

>> Is this the case with message level security or does it require that a seperate cert must be installed >> on the client machine?

Based on the various WCF message security models, yes you can use the cert which was used to establish the SSL connection. You do not require an additional cert.

Here's the security model (with a sample application):

However, there are also security models which do require a cert to be installed on the client.

You might want to have a look at the other models:

Hope that helps
- Kelvin

tanneroniAuthor Commented:
Thanks for feedback, I've resolved my question and concluded that after we purchase a certificate for our service (from an already "Trusted CA"), then no client certificates would be required as Windows OS will already have the "Trusted CA" included to vouch for the server certificates authenticity. So in our scenario with Message Security & Usernama Credentials, we don't require any client side certificate management (installation or revocation).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Glad that you got it solved.

Didn't any of the information I provided help you? I did mention that you wouldn't need a cert installed on the client.

- Kelvin
tanneroniAuthor Commented:
HI Kelvin, I was looking for more concrete evidence on the certificate front and I had already scoured most of msdn (amongst other sites) in the search, hence only awarding a portion of the points. I'm finding with WCF that it's hard to get hold of good examples of how to get specific taks done and only after proving it to myself in test apps am I satisfied. Thanks for your time.
No problem.

Main thing is that you have found what you were looking for.

- Kelvin
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.