2

We have WCF services being self-hosted by a Windows Service inside our domain, using NetTCP with the following settings.

// Set Binding Security.
netTcpBinding.Security.Mode = SecurityMode.Transport;
netTcpBinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Windows;
netTcpBinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;

We now have a requirement to allow people outside the domain to access these Services (as long as they can provide proper domain credentials). Our goal isn't to host the services via IIS, just allow those outside folks into our services. In my testing I was able to connect to a service from outside by "impersonating" the client proxy credentials during the WCF call as such.

proxy.ClientCredentials.Windows.ClientCredential.Domain = "MyDomainName";
proxy.ClientCredentials.Windows.ClientCredential.UserName = "MyUserName";
proxy.ClientCredentials.Windows.ClientCredential.Password = "MyPassword";

My question is: Is this the correct way? Is there a better way? Any advice would be greatly appreciated.

kevin
  • 45
  • 5

1 Answers1

3

This route is perfectly valid if you need to imperatively (in code, e.g. a credential popup, or read from a configuration file) set the credentials. A more secure option is to use the windows credential cache. Firstly you would set it up to use the cache:

proxy.ChannelFactory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;

Next you would set up the credentials in the credential cache. In Windows XP/2003 this is under "Stored Usernames and Passwords," (in the control panel) in Vista/7/2008 this is under "User Account > Credential Manager" (in the control panel).

As said, your way is perfectly valid - the cache is just more secure.

Jonathan Dickinson
  • 9,050
  • 1
  • 37
  • 60
  • Thanks for validating what I was doing there. I have asked a new question along the same lines, but using certificates. If you have any thoughts there, I would love to hear your input.http://stackoverflow.com/questions/7471253/client-certificate-for-wcf-nettcp-transport-binding – kevin Sep 19 '11 at 12:55
  • Does CredentialCache.DefaultNetworkCredentials automagically consult the Windows Credential Manager for credentials to the remote endpoint and ask for them/offer to store them if they're missing!!? – Jason Kleban Aug 15 '13 at 03:20
  • 1
    @uosɐſ in my experience it does, however it's not explicitly stated on MSDN. YMMV. If you want to access that store give this a go: http://www.microsoft.com/indonesia/msdn/credmgmt.aspx – Jonathan Dickinson Aug 16 '13 at 08:58