Permalink
Fetching contributors…
Cannot retrieve contributors at this time
239 lines (154 sloc) 16.6 KB
title ms.custom ms.date ms.prod ms.reviewer ms.suite ms.technology ms.tgt_pltfrm ms.topic helpviewer_keywords ms.assetid caps.latest.revision author ms.author manager
Bindings and Security
03/30/2017
.net-framework
dotnet-clr
article
bindings [WCF], security
WCF security
Windows Communication Foundation, security
bindings [WCF]
4de03dd3-968a-4e65-af43-516e903d7f95
42
BrucePerlerMS
bruceper
mbaldwin

Bindings and Security

The system-provided bindings included with [!INCLUDEindigo1] offer a quick way to program [!INCLUDEindigo2] applications. With one exception, all the bindings have a default security scheme enabled. This topic helps you select the right binding for your security needs.

For an overview of [!INCLUDEindigo2] security, see Security Overview. [!INCLUDEcrabout] programming [!INCLUDEindigo2] using bindings, see Programming WCF Security.

If you have already selected a binding, you can find out more about the run-time behaviors that are associated with security in Security Behaviors.

Some security functions are not programmable using the system-provided bindings. For more control using a custom binding, see Security Capabilities with Custom Bindings.

Security Functions of Bindings

[!INCLUDEindigo2] includes a number of system-provided bindings that meet most needs. If a particular binding does not suffice, you can also create a custom binding. For a list of system-provided bindings, see System-Provided Bindings. [!INCLUDEcrabout] custom bindings, see Custom Bindings.

Every binding in [!INCLUDEindigo2] has two forms: as an API and as an XML element used in a configuration file. For example, the WSHttpBinding (API) has a counterpart in the <wsHttpBinding>.

The following section lists both forms for each binding and summarizes the security features.

BasicHttp

In code, use the xref:System.ServiceModel.BasicHttpBinding class; in configuration, use the <basicHttpBinding>.

This binding is designed for use with a range of existing technologies, including the following:

  • ASP.NET Web services (ASMX), version 1.

  • Web Service Enhancements (WSE) applications.

  • Basic Profile as defined in the Web Services Interoperability (WS-I) specification (http://go.microsoft.com/fwlink/?LinkId=38955).

  • Basic security profile as defined in WS-I.

By default, this binding is not secure. It is designed to interoperate with ASMX services. When security is enabled, the binding is designed for seamless interoperation with Internet Information Services (IIS) security mechanisms, such as basic authentication, digest, and integrated Windows security. [!INCLUDEcrdefault] Transport Security Overview. This binding supports the following:

  • HTTPS transport security.

  • HTTP basic authentication.

  • WS-Security.

[!INCLUDEcrdefault] xref:System.ServiceModel.BasicHttpSecurity, xref:System.ServiceModel.BasicHttpMessageSecurity, xref:System.ServiceModel.BasicHttpMessageCredentialType, and xref:System.ServiceModel.BasicHttpSecurityMode.

WSHttpBinding

In code, use the xref:System.ServiceModel.WSHttpBinding class; in configuration, use the <wsHttpBinding>.

By default, this binding implements the WS-Security specification and provides interoperability with services that implement the WS-* specifications. It supports the following:

  • HTTPS transport security.

  • WS-Security.

  • HTTPS transport protection with SOAP message credential security for authenticating the caller.

[!INCLUDEcrdefault] xref:System.ServiceModel.WSHttpSecurity, xref:System.ServiceModel.MessageSecurityOverHttp, xref:System.ServiceModel.MessageCredentialType, xref:System.ServiceModel.SecurityMode, xref:System.ServiceModel.HttpTransportSecurity, xref:System.ServiceModel.HttpClientCredentialType, and xref:System.ServiceModel.HttpProxyCredentialType.

WSDualHttpBinding

In code, use the xref:System.ServiceModel.WSDualHttpBinding class; in configuration, use the <wsDualHttpBinding>.

This binding is designed to enable duplex service applications. This binding implements the WS-Security specification for message-based transfer security. Transport security is not available. By default, it provides the following features:

  • Implements WS-Reliable Messaging for reliability.

  • Implements WS-Security for transfer security and authentication.

  • Uses HTTP for message delivery.

  • Uses text/XML message encoding.

Using WS-Security (message-layer security), the binding allows you to configure the following parameters:

  • The security algorithm suite to determine the cryptographic algorithm.

  • Binding options for the following:

    • Providing service credentials available out-of-band at the client.

    • Providing service credentials negotiated from the service as part of channel setup.

[!INCLUDEcrdefault] xref:System.ServiceModel.WSDualHttpSecurity and xref:System.ServiceModel.WSDualHttpSecurityMode.

NetTcpBinding

In code, use the xref:System.ServiceModel.NetTcpBinding class; in configuration, use the <netTcpBinding>.

This binding is optimized for cross-machine communication. By default, it has the following characteristics:

  • Implements transport-layer security.

  • Leverages Windows security for transfer security and authentication.

  • Uses TCP for transport.

  • Implements binary message encoding.

  • Implements WS-Reliable Messaging.

Options include the following:

  • Message-layer security (using WS-Security).

  • Transport security with message credential—confidentiality and integrity provided by Transport Layer Security (TLS) over TCP, and credentials for authorization provided by WS-Security.

[!INCLUDEcrdefault] xref:System.ServiceModel.NetTcpSecurity, xref:System.ServiceModel.TcpTransportSecurity, xref:System.ServiceModel.TcpClientCredentialType, xref:System.ServiceModel.MessageSecurityOverTcp, and xref:System.ServiceModel.MessageCredentialType.

NetNamedPipeBinding

In code, use the xref:System.ServiceModel.NetNamedPipeBinding class; in configuration, use the <netNamedPipeBinding>.

This binding is optimized for cross-process communication (usually on the same machine). By default, this binding has the following characteristics:

  • Uses transport security for message transfer and authentication.

  • Uses named pipes for message delivery.

  • Implements binary message encoding.

  • Encryption and message signing.

Options include the following:

  • Authentication using Windows security.

[!INCLUDEcrdefault] xref:System.ServiceModel.NetNamedPipeSecurity, xref:System.ServiceModel.NetNamedPipeSecurityMode, and xref:System.ServiceModel.NamedPipeTransportSecurity.

MsmqIntegrationBinding

In code, use the xref:System.ServiceModel.MsmqIntegration.MsmqIntegrationBinding class; in configuration, use the <msmqIntegrationBinding>.

This binding is optimized for creating [!INCLUDEindigo2] clients and services that interoperate with non-[!INCLUDEindigo2] Microsoft Message Queuing (MSMQ) endpoints.

By default, this binding uses transport security and provides the following security characteristics:

  • Security can be disabled (None).

  • MSMQ transport security (Transport).

[!INCLUDEcrdefault] xref:System.ServiceModel.NetMsmqSecurity and xref:System.ServiceModel.NetMsmqSecurityMode.

NetMsmqBinding

In code, use the xref:System.ServiceModel.NetMsmqBinding class; in configuration, use the <netMsmqBinding>.

This binding is intended for use when creating [!INCLUDEindigo2] services that require MSMQ queued message support.

By default, this binding uses transport security and provides the following security characteristics:

  • Security can be disabled (None).

  • MSMQ transport security (Transport).

  • SOAP-based message security (Message).

  • Simultaneous Transport and Message security (Both).

  • Client Credential Types supported: None, Windows, UserName, Certificate, IssuedToken.

The xref:System.ServiceModel.MessageCredentialType.Certificate credential is supported only when the security mode is set to either xref:System.ServiceModel.NetMsmqSecurityMode.Both or xref:System.ServiceModel.NetMsmqSecurityMode.Message.

[!INCLUDEcrdefault] xref:System.ServiceModel.MessageSecurityOverMsmq and xref:System.ServiceModel.MsmqTransportSecurity.

WSFederationHttpBinding

In code, use the xref:System.ServiceModel.WSFederationHttpBinding class; in configuration, use the <wsFederationHttpBinding>.

By default, this binding uses WS-Security (message-layer security).

[!INCLUDEcrdefault] Federation, xref:System.ServiceModel.WSFederationHttpSecurity, and xref:System.ServiceModel.WSFederationHttpSecurityMode.

Custom Bindings

If none of the system-provided bindings meets you requirements, you can create a custom binding with a custom security binding element. [!INCLUDEcrdefault] Security Capabilities with Custom Bindings.

Binding Choices

The following table summarizes the features offered in the security mode setting, that is, it lists the features available when the security mode is set to Transport, Message, or TransportWithMessageCredential. Use this table to help you find the security features your application requires.

Setting Features
Transport Server authentication

Client authentication

Point-to-point security

Interoperability

Hardware acceleration

High throughput

Secure firewall

High-latency applications

Re-encryption across multiple hops
Message Server authentication

Client authentication

End-to-end security

Interoperability

Rich claims

Federation

Multifactor authentication

Custom tokens

Notary/timestamp service

High-latency applications

Persistence of message signatures
TransportWithMessageCredential Server authentication

Client authentication

Point-to-point security

Interoperability

Hardware acceleration

High throughput

Rich client claims

Federation

Multifactor authentication

Custom tokens

Secure firewall

High-latency applications

Re-encryption across multiple hops

The following table lists the bindings that support the various mode settings. Select a binding from the table to use to create your service endpoint.

Binding Transport mode support Message mode support TransportWithMessageCredential support
BasicHttpBinding Yes Yes Yes
WSHttpBinding Yes Yes Yes
WSDualHttpBinding No Yes No
NetTcpBinding Yes Yes Yes
NetNamedPipeBinding Yes No No
NetMsmqBinding Yes Yes No
MsmqIntegrationBinding Yes No No
wsFederationHttpBinding No Yes Yes

Transport Credentials in Bindings

The following table lists the client credential types available when using either BasicHttpBinding or WSHttpBinding in transport security mode.

Type Description
None Specifies that the client does not need to present any credential. This translates to an anonymous client.
Basic Basic authentication. [!INCLUDEcrdefault] RFC 2617 – HTTP Authentication: Basic and Digest Authentication, available at http://go.microsoft.com/fwlink/?LinkId=84023.
Digest Digest authentication. [!INCLUDEcrdefault] RFC 2617 – HTTP Authentication: Basic and Digest Authentication, available at http://go.microsoft.com/fwlink/?LinkId=84023.
NTLM NT LAN Manager (NTLM) authentication.
Windows Windows authentication.
Certificate Authentication performed using a certificate.
IssuedToken Allows the service to require that the client be authenticated using a token issued by a security token service or by [!INCLUDEinfocard]. [!INCLUDEcrdefault] Federation and Issued Tokens.

Message Client Credentials in Bindings

The following table lists the client credential types available when using a binding in Message security mode.

Type Description
None Allows the service to interact with anonymous clients.
Windows Allows SOAP message exchanges to be made under the authenticated context of a Windows credential.
UserName Allows the service to require that the client be authenticated using a user name credential. Note that when the security mode is set to TransportWithMessageCredential, [!INCLUDEindigo2] does not support sending a password digest or deriving keys using password and using such keys for Message mode security. As such, [!INCLUDEindigo2] enforces that the transport is secured when using user name credentials.
Certificate Allows the service to require that the client be authenticated using a certificate.
IssuedToken Allows the service to use a security token service to supply a custom token.

See Also

Security Overview
Securing Services and Clients
Selecting a Credential Type
Security Capabilities with Custom Bindings
Security Behaviors
Security Model for Windows Server App Fabric