Category Archives: .NET

WCF Security – Different Scenarios

Posted by soudamini on May 26, 2011 2 comments

Intranet Scenarios

1.    Web to remote WCF with transport security (Original Caller, TCP)

  • Use domain credentials to authenticate clients against an Active Directory user store.
  • Impersonate the original caller when calling methods on the WCF service from the ASP.NET application.
  • Use a service account to call the SQL Server from WCF (without impersonation).
  • Use SSL to protect sensitive data between the Web client and IIS.
  • Use Transport Security to protect sensitive data between the ASP.NET application and the WCF           service.
  • Use netTcpBinding to support the TCP transport for improved performance.
  • Host WCF in a Windows Service if using IIS 6( does not support the TCP transport) (prior to IIS7)

2.    Web to remote WCF with transport security (Trusted sub system, HTTP)

  • Use domain credentials to authenticate clients against an Active Directory user store.
  • Use a service account to call WCF from the ASP.NET application. The WCF Service uses Windows Authentication.
  • Use a service account to call the SQL Server from WCF. The SQL Server uses Windows Authentication.
  • Use SSL to protect sensitive data between the Web client and IIS.
  • Use Transport security to protect sensitive data between the ASP.NET application and the WCF Service.
  • Optionally, use IPSec to protect sensitive data between the WCF Service and SQL Server.
  • Use wsHttpBinding to provide support for interoperability and allow the service to be hosted in IIS.
  • Host WCF in IIS.

 

3.    Web to remote WCF with transport security (Trusted sub system, TCP)

  • Use domain credentials to authenticate clients against an Active Directory user store.
  • Use a service account to call WCF from the ASP.NET application. The WCF Service uses Windows Authentication.
  • Use a service account to call the SQL Server from WCF. The SQL Server uses Windows Authentication.
  • Use SSL to protect sensitive data between the Web client and IIS.
  • Use Transport security to protect sensitive data between the ASP.NET application and the WCF Service.
  • Optionally, use IPSec to protect sensitive data between the WCF Service and SQL Server.
  • Use netTcpBinding to support the TCP transport for improved performance.
  • Host WCF in a Windows Service if using IIS 6(does not support the TCP transport).

4.    Windows Forms to remote WCF with transport security (Original Caller, TCP)

  • Use domain credentials to authenticate clients against an Active Directory user store.
  • Use a service account to call the SQL Server from WCF.
  • Use transport security to protect sensitive data between the Windows Forms client and the
  • WCF Service.
  • Use netTcpBinding to support the TCP transport for improved performance.
  • Host WCF in a Windows Service if using IIS 6 (does not support the TCP transport).

 

Internet Scenarios

1.    WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)

  • Authenticate clients by using the SQL Server membership provider.
  • Authenticate clients by using the SQL Server membership provider with IIS via a custom HTTP module.
  • Use WCF to authorize users with roles in SQL Server by using the ASP.NET role provider.
  • Use a service account to call the SQL Server from WCF.
  • Use transport security to protect user credentials and sensitive data passed between the clients and the WCF service.
  • Use basicHttpBinding with transport security to ensure that the service is compatible with legacy ASMX clients.
  • Authenticate clients using a custom HTTP module in order to transmit user credentials over the transport, to ensure that the service is compatible with legacy ASMX clients.

2.    Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)

  • Use username and password to authenticate users against the SQL Server Membership Provider.
  • Use a service account to call WCF from the ASP.NET application.
  • Use a service account to call the SQL Server from WCF.
  • Use SSL to protect sensitive data between the Web client and IIS.
  • Use Transport Security to protect sensitive data between the ASP.NET application and the WCF service.
  • Use netTcpBinding to support the TCP transport for improved performance.
  • Host WCF in a Windows Service if using IIS 6 (does not support the TCP transport).

3.    Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

  • Use username and password to authenticate users against the SQL Server Membership Provider.
  • Use a service account to call the SQL Server from WCF.
  • Use message security to protect sensitive data between the ASP.NET application and the WCF service.
  • Use wsHttpBinding to allow IIS to host the service.
  • Host WCF in IIS.

Reference : WCF Security guide from patterns & practices