WCF - Secured service

WCF Authentification overview on MSDN
This is short description how make secured wcf service with sql membership and role provider.

Server side

web.config:

  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="Service.ServicesBehavior">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="SqlRoleProvider"  />
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="SqlMembershipProvider" />
            <serviceCertificate findValue="LocalCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <clientCertificate>
              <authentication certificateValidationMode="None"/>
            </clientCertificate>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service behaviorConfiguration="Service.ServicesBehavior" name="Services.Service">
        <endpoint address="http://localhost/service.svc" binding="wsHttpBinding" bindingConfiguration="MembershipBinding" contract="Services.Service" />
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="MembershipBinding">
          <security mode="Message">
            <message clientCredentialType="UserName" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>

service class:

  public class Service: IService
    {
        [PrincipalPermission(SecurityAction.Demand, Role = "User")]
        public string Operation(string text)
        {
            return text;
        }
...
    }

Security

On server side must be installed “Client Certificate Mapping Authentication” in services in IIS server role.

Certificates

generate certificate

makecert.exe -sr LocalMachine –pe -ss My -a sha1 -n CN=MyServerCert -sky exchange MyServerCert.cer

Makecert.exe

Generating with makecert invoke some issues, for me is beter following application selfcert.zip

Install certifikates

On server side. Add certificate for “Local machine”, certicate must be trusted, so if is self signed, add to “Trusted root certification authorities”.
On client side. If you use self signed certificate, you have to manualy add certificate to Trusted people. RUN > MMC > File > Add/Remove snap-in > Computer Account > Cerficate.

Client side

client program

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
 
namespace WCFconsumer
{
    class Program
    {
        static void Main(string[] args)
        {
            ServiceClient client = new ServiceClient();
 
            client.ClientCredentials.UserName.UserName = "User";
            client.ClientCredentials.UserName.Password = "Passwd";
 
            client.Operation("test");
 
            client.Close();
 
        }
    }
}

app.config

<?xml version="1.0"?>
<configuration>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_Service">
          <security mode="Message">
            <transport clientCredentialType="Windows" />
            <message clientCredentialType="UserName" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://server/Services/service.svc"
          binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_Service"
          contract="IService" name="WSHttpBinding_IService">
        <identity>  <!-- ovveride service identity -->
          <dns value="Cert" />
        </identity>
      </endpoint>
    </client>
  </system.serviceModel>
</configuration>

Table of Contents

WCF - Secured service

Server side

Security

Certificates

Install certifikates

Client side

Membership and role provider

Resources