WCF isn’t the easiest beast to wrangle, and when looking to secure a WCF web service I usually do it in stages.
In this post and further posts in the next week, I’ll be securing a WCF web service with various endpoints with various different security requirements. To start with I’m just going to secure it with Windows authentication and SSL.
It always seems to take a little fiddling to get to the first stage, published in IIS using SSL and Windows Authentication whilst still functioning.
Once IIS has been configured
- Website created
- Single HTTPS binding
- SSL Settings (Require) (Ignore client certificates)
The next step is to get the webconfig to work over SSL and to use windows authentication.
<behavior name="basicSSLServiceBehaviour"> <serviceMetadata httpsGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="true" /> <dataContractSerializer maxItemsInObjectGraph="2147483646" /> </behavior>
<binding name="SimpleWinAuth" maxBufferPoolSize="1000000" maxReceivedMessageSize="1000000"> <readerQuotas maxStringContentLength="6553600" maxArrayLength="6553600"/> <security mode="Transport"> <transport clientCredentialType="Windows"></transport> </security> </binding>
And the endpoint config will look something like this;
<service behaviorConfiguration="basicSSLServiceBehaviour" name="MyCompany.MyApp.Services.SomeNameOrAnother"> <endpoint binding="wsHttpBinding" contract="MyCompany.MyApp.Services.ISomeNameOrAnother" bindingConfiguration="SimpleWinAuth" /> </service>
So there you go, simple configuration to use enforce SSL and Windows Authentication in WCF.