This is a mirror of official site: http://jasper-net.blogspot.com/

An easy way to use certificates for WCF security

| Sunday, September 5, 2010
Introduction

Security has an important role in any distributed application and Windows Communication Foundation (known as WCF or Indigo), the new Microsoft communication framework, implements many security standards and has a wide range of features available.

One of the most important aspects of security is authentication. WCF can be configured to use many authentication methods:

Anonymous caller
User name and password
Certificate
Windows
CardSpace
In this article I will show you how to configure WCF with certificates to authenticate service clients and server using an alternative approach.

If you want to exactly understand my implementation, continue reading the next section. If you simply want to understand how to configure WCF using certificates jump directly to the Quick start tutorial section.

Background concepts

The next sections assume that you are familiar with many WCF and security concepts. See the External resources section if you want to review some of these concepts or for more information.

The problem

The use of certificates for authentication is not new, but is still one of the most common way to authenticate a subject. WCF has a built-in support for certificates that conform to the Web Services Security (WS-Security) standards.

The problem with the default configurations and examples available is that all the certificates must be installed in the Certificate Store, which basically is a central location where Windows saves all the certificates (used also for other applications: Internet Explorer, ...).

Why this solution causes some problems? The easy answer is because it is not easy to correctly configure all the certificates. For more details:

When you deploy your service to the server you must install in the Certificate Store all the certificates used (in different locations based on the use of the certificate).
This operation must be executed using an installation program, a script file or a batch file. For this reason, it is difficult to deploy the application using an xcopy/ClickOnce installation.
Each client must also install the certificate used to authenticate itself always in the Certificate Store. This is easy if you have a small number of clients but very difficult if you must manually configure each computer (in addition, for the client, you can't use an xcopy/ClickOnce installation).
You must give to the running process (like ASP.NET) the permissions to read the certificate private key. This step usually requires changing the file system permission. This again requires a script file or an installation which is not always easy.
If you are using a shared hosting probably you can't install certificates or change certificate permissions.
As a developer I like to have each project isolated from the others. I want to be able to easy test different configurations or applications, I like to simply download the latest version from the code repository and run it, without any special configuration. Using the Certificate Store I must always remember to install or uninstall the certificates each time.
At the following MSDN page you can see an example of a configuration using certificates and a description of how to install certificates using the classic solution: MSDN: Message Security Certificate.

Read more: Codeproject

Posted via email from .NET Info

0 comments: