WCF transport security with no authentication

wcf security authentication
19,605

Solution 1

You can have HTTPS communication without authentication, but you cannot have HTTPS communication without certificates, since HTTPS encryption uses certificates.

There are a few things to check:

  1. Can you access the WSDL or another resource on the site over HTTPS in a browser?
  2. Do you get any warnings about the certificate when doing so?

If you can't access the WSDL or another resource on the site over HTTPS, then HTTPS isn't configured on the server.

If you get warnings about the certificate, then you don't have a certificate that the client will trust. There are three options here; one is to get a valid certificate from somewhere like Verisign that will be trusted, the other is to install the certificate in a trusted part of the user's store (which you can't do as you mentioned), and the final is to turn off the cerificate revocation in the client's WCF configuration.

Solution 2

What you have set up looks correct for what you want.

I think that the problem relates to the difference between the certificate needed to ensure transport level security (HTTPS) and any certificate needed for authentication.

To perform transport level security you need to configure a certificate for the IIS server to use for its encryption. This is in no way used to identify parties in the WCF communication, just to secure the communication. (the certificate used for this HTTPS transport is also used to identify the server but that isn't related to WCF identity)

Here is a link to a blog post explaining how to set up a certificate in IIS for this purpose. Not necessarily the best google has to offer, just the first I found that covered all the important points. MSDN should cover this in detail too.

Share:
19,605
Meidan Alon
Author by

Meidan Alon

Updated on June 13, 2022

Comments

  • Meidan Alon
    Meidan Alon almost 2 years

    Is it possible to have transport security without authentication? I'm well aware of it's flaws but atm I can't install a certificate a the client side. It seems I can set WSHttpBinding.SecurityMode to Transport and the ClientCredentialType to HttpClientCredentialType.None, but when I try to call the service I get this exception:

    An error occurred while making the HTTP request to https://[MyService]. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.

    I don't think it's a mismatch of the security binding between the client and the server because I'm using a proxy generated by svcutil.

    Why's it looking for a server certificate if I've set the ClientCredentialType to None?

  • Meidan Alon
    Meidan Alon over 15 years
    how do I turn off the certificate revocation in the client's WCF configuration?
  • jezell
    jezell over 15 years
    Set the revocation mode to None.
  • Jeremy Wiebe
    Jeremy Wiebe almost 12 years
    The server certificate is used to identify the server to the client. If the common name on the certificate does not match the URL that the client is connecting to, the default action is to abort the connection.
  • David Hall
    David Hall almost 12 years
    @JeremyWiebe Cheers - I meant parties in the context of the WCF communication. I'll clear that up.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why is kerberos defaulting to NTLM in WCF?
php not redirecting and logging in
WCF Net.tcp with sspi fails unless client and server using same windows Identity
How can I calculate the Failed Acceptance Rate and False Recognition Rate?
Authentication using HTTP Authorization Header in WCF SOAP API
ASP.NET Core using custom authenticationhandler with cookieauthentication
ASP.Net Authentication using <credentials> in web.config
Password hashing (non-SSL)
Integrated Windows Authentication in WCF on IIS 6.0
How to Deactivate a LDAP User?