WCF Double Hop questions about Security and Binding.

Background information:

.Net Website which calls a service (aka external service) facade on an app server in the DMZ. This external service then calls the internal service which is on our internal app server. From there that internal service calls a stored procedure (Linq to SQL Classes), and passes the serialized data back though to the external service, and from there back to the website.

We've done this so any communication goes through an external layer (our external app server) and allows interoperability; we access our data just like our clients consuming our services.

We've gotten to the point in our development where we have completed the system and it all works, the double hop acts as it should. However now we are working on securing the entire process.

We are looking at using TransportWithMessageCredentials.
We want to have WS2007HttpBinding for the external for interoperability, but then netTCPBinding for the bridge through the firewall for security and speed.


1. If we choose WS2007HttpBinding as the external services binding, and netTCPBinding for the internal service is this possible?

2. I know WS-* supports this as does netTCP, however do they play nice when passing credential information like user/pass?

3. If we go to Kerberos, will this impact anything? We may want to do impersonation in the future.

If you can when you answer post any reference links about why you're answering the way you are, that would be very helpful to us. Thanks!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ted BouskillSenior Software DeveloperCommented:
You cannot relay (double hop) NTLM credentials.  It is not supported.  Your only choice is Kerberos if you choose to not use impersonation.

This guy has a good explanation however, search the web for articles "NTLM double hop" or "NTLM double-hop" if you'd like more

PS: I'm an experienced Enterprise Architect.  As a tip you should always include security right from the beginning with your first prototype.  I've seen a lot of work thrown away because once security was applied the application's foundation had to be reworked.  Choosing your security is as important as choosing the core technology.  In order to fail cheap you need to implement security right away.
concentriumAuthor Commented:
We aren't worried about using NTLM, Kerberos would be fine.

For now let's say we just want to do a user/pass.
Since we'll be using transport security (Https / SSL), sending user/pass in clear text shouldn't be an issue.

Is there a problem with using different bindings between the external service, and internal ?  (as long as they both support the same security and credentials).
Ted BouskillSenior Software DeveloperCommented:
Supporting different bindings isn't a problem if the code is well thought out.

I agree that if you are using SSL it is safe passing unencrypted credentials.

Kerberos is an excellent solution if you are comfortable using it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.