0

I want to retrieve the username and password of user that requires the service operation.
For this i need to specify the following configuration:

                <binding name="NewBinding0">
                <security mode="Message">
                    <message clientCredentialType="UserName"                negotiateServiceCredential="false"
                        establishSecurityContext="false" />
                </security>
            </binding>

Now it requires the x509 certificate. Can i disable it, or modify the security mode or message credentialType, but to provide the same functionality?

croisharp
  • 1,926
  • 5
  • 25
  • 40

1 Answers1

1

When you specify message security it always expects service certificate. The reason is that user name and password should be send over secured channel otherwise password is send as a plain text and everybody on the network can see that.

All default bindings will allow you sending user name and password only when you are using HTTPS (security mode set to TransportWithMessageCredential - it also requires certificate) or if you are using WS-Security where service certificate is needed (security mode set to Message).

In WCF 4 (and with special KB patch in earlier versions) you can create custom binding where user name and password can be send over unsecured channel but it is almost the same as no security. It should be used only if your channel is secured with some another infrastructure like VPN.

Community
  • 1
  • 1
Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670
  • Can i encrypt the username/password, but without using the certificate, for example in md5? – croisharp Jun 29 '11 at 11:16
  • No with default security (unless you add a lot of custom classes to support custom security token). You can send custom SOAP header with the user name and hashed password but you must handle passing this header from the client and validating credentials on the service yourselves. – Ladislav Mrnka Jun 29 '11 at 11:46
  • Okay, i generate the client/server certificates, all works, but with – croisharp Jun 29 '11 at 12:50
  • http://www.codeproject.com/KB/WCF/9StepsWCF.aspx I did certificates using this tutorial. – croisharp Jun 29 '11 at 12:57