====== WCF - Secured service ======
  * [[http://msdn.microsoft.com/en-us/library/bb386582.aspx|WCF Authentification overview on MSDN]]
  * This is short description how make secured wcf service with sql membership and role provider.

===== Server side =====

** web.config:**
<code xml>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="Service.ServicesBehavior">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="SqlRoleProvider"  />
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="SqlMembershipProvider" />
            <serviceCertificate findValue="LocalCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <clientCertificate>
              <authentication certificateValidationMode="None"/>
            </clientCertificate>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service behaviorConfiguration="Service.ServicesBehavior" name="Services.Service">
        <endpoint address="http://localhost/service.svc" binding="wsHttpBinding" bindingConfiguration="MembershipBinding" contract="Services.Service" />
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="MembershipBinding">
          <security mode="Message">
            <message clientCredentialType="UserName" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>
</code>


**service class:**
<code csharp>

  public class Service: IService
    {
        [PrincipalPermission(SecurityAction.Demand, Role = "User")]
        public string Operation(string text)
        {
            return text;
        }
...
    }

</code>

==== Security ====
  * On server side must be installed "Client Certificate Mapping Authentication" in services in IIS server role.

{{:programming:csharp:wcf:selectserverrole_security_certificate.png|}}

===== Certificates =====

  * generate certificate
<code dos>
makecert.exe -sr LocalMachine –pe -ss My -a sha1 -n CN=MyServerCert -sky exchange MyServerCert.cer
</code>

[[http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.80%29.aspx|Makecert.exe]]

<note important>Generating with makecert invoke some issues, for me is beter following application 
{{:programming:csharp:wcf:selfcert.zip|}}
</note>

{{:programming:csharp:wcf:selfcert.png|}}

==== Install certifikates ====

  * **On server side.** Add certificate for "Local machine", certicate must be trusted, so if is self signed, add to "Trusted root certification authorities".
  * **On client side.** If you use self signed certificate, you have to manualy add certificate  to Trusted people. RUN > MMC > File > Add/Remove snap-in > Computer Account > Cerficate.

===== Client side =====
  * client program
<code csharp>
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

namespace WCFconsumer
{
    class Program
    {
        static void Main(string[] args)
        {
            ServiceClient client = new ServiceClient();

            client.ClientCredentials.UserName.UserName = "User";
            client.ClientCredentials.UserName.Password = "Passwd";

            client.Operation("test");

            client.Close();

        }
    }
}
</code>


  * app.config
<code xml>
<?xml version="1.0"?>
<configuration>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_Service">
          <security mode="Message">
            <transport clientCredentialType="Windows" />
            <message clientCredentialType="UserName" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://server/Services/service.svc"
          binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_Service"
          contract="IService" name="WSHttpBinding_IService">
        <identity>  <!-- ovveride service identity -->
          <dns value="Cert" />
        </identity>
      </endpoint>
    </client>
  </system.serviceModel>
</configuration>
</code>

===== Membership and role provider =====
  * [[http://msdn.microsoft.com/en-us/library/ms731049.aspx|Membership provider on MSDN]]
  * [[http://msdn.microsoft.com/en-us/library/aa702542.aspx|Role provider on MSDN]]


===== Resources =====
  * [[http://codebetter.com/petervanooijen/2010/03/22/a-simple-wcf-service-with-username-password-authentication-the-things-they-don-t-tell-you/]]
  * [[http://www.devatwork.nl/2007/05/wcf-username-authentication/]]
  * [[http://social.msdn.microsoft.com/Forums/en/windowscardspace/thread/057b472b-bb49-4a7a-873c-cb41adbb8298]]
  * [[http://www.netframeworkdev.com/windows-communication-foundation/certificate-for-username-authentication-in-wcf-58465.shtml]]