BasicHttpBinding with Transport Security

This is just something to remind myself next time I need to implement a WCF service using the BasicHttpBinding with transport-only security (SSL + client certificates)':

  • WCF expects that the "Require SSL" option in IIS is enabled.
  • If Metadata Exchange is needed, configure the MEX endpoint with a custom binding with the right settings; otherwise the service won't start.
  • Remember to set httpsGetEnabled="true" option in the <serviceMetadata> service behavior instead of the usual httpGetEnabled attribute.
  • WCF does not understand the "Accept Client Certificates" option in IIS. It treats it the same as "Ignore Client Certificates" option.

To use client certificates:

    • Enable the "Require Client Certificates" option in IIS
    • On the service side, use a custom binding to set the requireClientCertificate option of the httpsTransport binding element:

      <bindings>

         <customBinding>

            <binding name="sslBasicHttp">

               <textMessageEncoding messageVersion="Soap11" />

               <httpsTransport requireClientCertificate="true"/>

            </binding>

         </customBinding>

      </bindings>

    • On the client side, use basicHttpBinding with the security mode set to "Transport" and the option clientCredentialType set to "Certificate" on the <transport/> element.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>