Improving Web Services Security

Cover Page......Page 1
Copyrights Page......Page 2
Title......Page 3
Foreword by Nicholas Allen......Page 4
Foreword by Rockford Lhotka......Page 5
WCF / Services Security......Page 6
Why We Wrote This Guide......Page 7
Parts......Page 8
“How To” Articles......Page 9
Resources......Page 10
The Team Who Brought You This Guide......Page 11
Tell Us About Your Success......Page 12
Security Engineering......Page 13
Authentication / Authorization......Page 14
Patterns......Page 16
Auditing and Logging......Page 17
Impersonation / Delegation......Page 18
Message Validation......Page 19
The Approach......Page 21
patterns & practices Security Engineering......Page 22
Intranet......Page 23
Web Services Security Frame......Page 24
Threats and Attacks to Your Web Services......Page 25
Guidelines for Your Web Services......Page 26
Web Services Security Patterns......Page 28
Bindings in WCF......Page 30
Transport Security......Page 32
Message Security......Page 33
Message Security......Page 34
Authorization Options in WCF......Page 35
Part I - Security Fundamentals for Web Services......Page 37
The Foundations of Security......Page 38
What Is a Service?......Page 39
Service-Oriented Architecture (SOA)......Page 40
Service Orientation vs. Object Orientation......Page 41
Enterprise SOA vs. Application SOA......Page 42
How Do You Build Secure Services?......Page 43
patterns & practices Security Engineering......Page 44
Web Services Security Principles......Page 46
Web Services Security Frame......Page 47
Web Services Security Patterns......Page 50
Additional Resources......Page 53
Web Services Security Frame......Page 55
Auditing and Logging......Page 56
Authentication......Page 57
Authorization......Page 58
Exception Management......Page 59
Impersonation/Delegation......Page 60
Message Replay Detection......Page 61
Message Validation......Page 62
Sensitive Data......Page 63
Session Management......Page 64
Threats and Attacks Explained......Page 65
Security Architecture and Design Issues for Web Services......Page 68
Deployment Considerations......Page 69
Auditing and Logging......Page 71
Do Not Log Sensitive Information......Page 72
Protect and Audit Log Files......Page 73
Be Able to Disable Accounts......Page 74
Additional Resources......Page 75
Consider Authorization Granularity......Page 76
Restrict User Access to System-level Resources......Page 77
Consider Your Key Storage Location......Page 78
Catch Exceptions......Page 79
Message Protection......Page 80
Message Validation......Page 81
Additional Resources......Page 82
Encrypt Sensitive Data over the Network......Page 83
Secure the Channel to the Session Store......Page 84
Part II - WCF Security Fundamentals......Page 86
Key Security Features......Page 87
Bindings and Behaviors......Page 88
Transport Security......Page 89
Message Security......Page 90
Protection Levels......Page 91
Service Credentials Negotiation......Page 92
Transport Security Mode Authentication Options......Page 93
Message Security Mode Authentication Options......Page 94
Impersonation / Delegation......Page 95
Auditing......Page 96
Transfer Security Modes......Page 98
Authentication Options with Transport Security......Page 99
Authorization Options in WCF......Page 100
Imperative Authorization......Page 101
Resource-based Authorization Options in WCF......Page 102
The Trusted Subsystem Model......Page 103
The Impersonation / Delegation Model......Page 104
Identities in WCF......Page 105
Step 1 – Identify Resources......Page 106
Step 2 – Choose an Authorization Approach......Page 107
Transport Security......Page 108
Bindings Summary......Page 109
User Store and Credential Management......Page 110
Internet Scenarios......Page 111
Additional Resources......Page 113
Impersonation Scenarios......Page 114
Impersonate the Original Caller Temporarily......Page 115
Use Delegation to Access Network Resources......Page 116
Impersonate Using the WindowsIdentity Constructor (S4U Kerberos Extensions)......Page 117
Impersonate Using the LogonUser API......Page 118
Impersonate the Original Caller Declaratively for the Entire Service......Page 119
Impersonate the Original Caller Programmatically Within an Operation......Page 120
Controlling Impersonation on the Client Side......Page 121
Related Items......Page 122
Additional Resources......Page 123
Transport Security......Page 124
Message Security......Page 125
Transfer Security Modes......Page 126
Transport Security in WCF......Page 127
Internet Scenarios......Page 128
Protection Level......Page 129
Internet Scenarios......Page 130
WCF Built-in Bindings......Page 132
Bindings Behaviors and Endpoints......Page 134
netMsmqBinding......Page 135
Internet Binding Scenarios......Page 136
Message Encoding Binding Elements......Page 137
Transport Binding Elements......Page 138
Custom Binding Configuration Examples......Page 139
Part III - Intranet Application Scenarios......Page 140
Key Characteristics......Page 141
Solution Summary Table......Page 142
Web Server......Page 143
Application Server......Page 144
Database Server......Page 146
Web Server......Page 147
Application Server......Page 148
Domain Controller......Page 149
Web Server......Page 150
Application Server......Page 151
Additional Resources......Page 153
Key Characteristics......Page 155
Solution Summary Table......Page 156
Web Server......Page 157
Application Server......Page 159
Communication Security......Page 161
Web Server......Page 162
Database Server......Page 163
Web Server......Page 164
Application Server......Page 166
Additional Resources......Page 168
Key Characteristics......Page 169
Solution Summary Table......Page 170
Web Server......Page 171
Application Server......Page 173
Database Server......Page 174
Web Server......Page 175
Application Server......Page 176
Communication Security......Page 177
Web Server......Page 178
Application Server......Page 180
Additional Resources......Page 182
Key Characteristics......Page 184
Thick Client......Page 185
Application Server......Page 186
Database Server......Page 188
Application Server......Page 189
Communication Security......Page 190
Application Server......Page 191
Database Server......Page 192
Additional Resources......Page 193
Part IV - Internet Application Scenarios......Page 194
Key Characteristics......Page 195
Solution Summary Table......Page 196
Clients......Page 197
Application Server......Page 198
Communication Security......Page 202
Application Server......Page 203
Communication Security......Page 204
IIS......Page 205
WCF......Page 209
Additional Resources......Page 212
Key Characteristics......Page 213
Solution Summary Table......Page 214
Web Server......Page 215
Application Server......Page 218
Communication Security......Page 220
Application Server......Page 221
Communication Security......Page 222
Web Server......Page 223
Application Server......Page 226
Additional Resources......Page 227
Key Characteristics......Page 228
Thick Client......Page 229
Application Server......Page 230
Database Server......Page 234
Application Server......Page 235
Application Server......Page 236
Client......Page 239
Additional Resources......Page 240
Authentication......Page 241
Bindings......Page 242
Impersonation/Delegation......Page 243
Message Security......Page 244
Sensitive Data......Page 245
Deployment Considerations......Page 246
Index......Page 247
Design Considerations......Page 250
If You Are Migrating from DCOM, Consider Using netTcpBinding......Page 251
If You Require Interoperability with Non-Microsoft Clients, Use Bindings That Are Targeted for Interoperability......Page 252
Know Your Authentication Options......Page 253
Know Your Authorization Options......Page 254
Know Your Binding Options......Page 255
Choose the Right Binding for Your Scenario......Page 256
Auditing and Logging......Page 257
Use WCF Auditing to Audit Your Service......Page 258
Use Message Logging for Debugging Purposes......Page 259
Instrument for User Management Events......Page 260
Do Not Log Sensitive Information......Page 261
Protect Information in Log Files......Page 262
Authentication......Page 263
Know Your Authentication Options......Page 264
Use Windows Authentication When You Can......Page 265
If You Are Using Username Authentication, use a Membership Provider Instead of Custom Authentication......Page 266
If Your Users Are in a SQL Server Membership Store, Use the SQL Server Membership Provider......Page 267
If Your Users Are in a Custom Store, Consider Using Username Authentication with a Custom Validator......Page 268
If Your Partner Applications Need to Be Authenticated When Calling WCF Services, Use Client Certificate Authentication......Page 269
If You Are Using Username Authentication, Validate User Login Information......Page 270
Protect Access to Your Credential Store......Page 271
If You Store Role Information in Windows Groups, Consider Using the WCF PrincipalPermissionAttribute Class for Role Authorization......Page 272
If You Use Windows Groups for Authorization, Use the ASP.NET Role Provider with AspNetWindowsTokenRoleProvider......Page 273
If You Store Role Information in SQL Server, Consider Using  the SQL Server Role Provider for Role Authorization......Page 275
If You Store Role Information in a Custom Store, Create a Custom Authorization Policy......Page 276
If You Need to Perform Fine-Grained Authorization Based on Business Logic, Use Imperative Authorization......Page 277
Bindings......Page 278
If You Need to Expose Your WCF Service to Legacy Clients as an ASMX Web Service, Use basicHttpBinding......Page 279
If You Need to Support WCF Clients Within an Intranet, Consider Using netTcpBinding......Page 280
If You Need to Support WCF Clients on the Same Machine, Consider Using netNamedPipeBinding......Page 281
If You Need to Support Disconnected Queued Calls, Use netMsmqBinding......Page 282
If You Need to Support Bidirectional Communication Between a WCF Client and WCF Service, Use wsDualHttpBinding or netTcpBinding......Page 283
Use Replay Detection to Protect Against Message Replay Attacks......Page 284
If You Host Your Service in a Windows Service, Expose a Metadata Exchange (mex) Binding......Page 285
Encrypt Configuration Sections That Contain Sensitive Data......Page 286
Use Structured Exception Handling......Page 287
Do Not Divulge Exception Details to Clients in Production......Page 288
Use a Fault Contract to Return Error Information to Clients......Page 289
Run Your Service in a Least-Privileged Account......Page 290
Use IIS to Host Your Service Unless You Need to Use a Transport That IIS Does Not Support......Page 291
Know the Tradeoffs Involved in Impersonation......Page 292
Impersonate Using the LogonUser API......Page 293
Impersonate the Original Caller Declaratively on the Entire Service......Page 294
Consider Using Programmatic Instead of Declarative Impersonation......Page 295
When Impersonating Declaratively, Only Impersonate on the Operations That Require It......Page 296
Consider Using the S4U Feature for Impersonation and Delegation When You Cannot Do a Windows Mapping......Page 297
Consider Using the LogonUser API if Your WCF Service Cannot Be Trusted for Delegation......Page 298
Use Constrained Delegation if You Have to Flow the Original Caller to the Back-end Services......Page 299
If You Need to Validate Parameters, Use Parameter Inspectors......Page 300
Use Schemas with Message Inspectors to Validate Messages......Page 301
Use Regular Expressions in Schemas to Validate Format, Range, or Length......Page 302
Implement the AfterReceiveRequest Method to Validate Inbound Messages on the Service......Page 303
Implement the AfterReceiveReply Method to Validate Inbound Messages on the Client......Page 304
Validate Operation Parameters for Length, Range, Format, and Type......Page 305
Avoid User-supplied File Name and Path Input......Page 306
Do Not Echo Untrusted Input......Page 307
If You Need to Support Clients in an Intranet, Use Transport Security......Page 312
Proxy Considerations......Page 313
If You Need to Publish Your WCF Service Metadata, Publish It Using Secure Binding......Page 314
Sensitive Data......Page 315
Do Not Cache Sensitive Data......Page 316
Be Aware That basicHttpBinding Will Not Protect Sensitive Data by Default......Page 317
Do Not Use Temporary Certificates in Production......Page 318
Use IIS to Host Your WCF Service Wherever Possible......Page 319
Protect Sensitive Data in Your Configuration Files......Page 320
Index......Page 322
How to Audit Security Events......Page 325
How to Enable WCF Message Logging......Page 326
How to Enable WCF Tracing......Page 328
How to Use Health Monitoring in WCF......Page 329
How to Filter Sensitive Data from Your Logs......Page 331
How to View Trace Information......Page 332
How to Turn Off Audit Failure Suppression......Page 333
How to Authenticate Users Against the SQL Server Membership Provider......Page 334
How to Authenticate Users against Active Directory......Page 336
How to Authenticate Users with Certificates......Page 337
How to Map Certificates with Windows Accounts......Page 338
How to Authenticate Users Against a Custom User Store......Page 339
How to Authorize Declaratively......Page 340
How to Authorize Imperatively if You Use a Role Provider......Page 341
How to Perform Resource-based Authorization......Page 342
How to Perform Role-based Authorization......Page 343
How to Authorize Users Against Windows Groups Using AspNetWindowsTokenRoleProvider......Page 345
How to Authorize Users Against the SQL Server Role Provider......Page 346
How to Authorize Users Against the ASP.NET Role Provider......Page 348
How to Assign the Current Principal with IAuthorizationPolicy to Allow Authorization Using Custom Authentication......Page 350
How to Authorize Users Against ADAM Using the Authorization Manager Role Provider......Page 352
How to Map Roles to Certificates......Page 354
How to Encrypt Sensitive Data in Your Configuration Files......Page 355
How to Create a Service Account for Your WCF Service......Page 356
How to Protect Against Message Replay Attacks......Page 357
How to Configure Certificates to Enable SSL in IIS......Page 358
How to Map Windows Accounts with Certificates......Page 359
How to Create a Service Principle Name (SPN)......Page 360
How to Create an X.509 Certificate......Page 361
How to Shield Exception Information with Fault Contracts......Page 362
How to Avoid Faulting the Channels with Fault Contracts......Page 363
How to Create an Error Handler to Log Details of Faults for Auditing Purposes......Page 364
How to Handle Unhandled Exceptions In Downstream Services......Page 365
How to Throw an Exception with Complex Types or Data Contracts with a Fault Exception......Page 366
How to Implement a Data Contract to Propagate Exception Details for Debugging Purposes......Page 367
How to Host WCF in IIS......Page 369
How to Host WCF in a Windows Service......Page 370
How to Self-host WCF......Page 371
How to Configure a Least-privileged Account to Host Your Service......Page 372
How to Choose Between a Trusted Subsystem and Impersonation/Delegation......Page 373
How to Impersonate the Original Caller when Using Windows Authentication......Page 374
How to Impersonate Programmatically in WCF......Page 375
How to Impersonate Declaratively In WCF......Page 376
How to Impersonate the Original Caller Without Windows Authentication......Page 377
How to Impersonate the Original Caller Using S4U Kerberos Extensions......Page 378
How to Impersonate and Delegate Using the LogonUser Windows API......Page 379
How to Control Access to a Remote Resource Based on the Original Caller’s Identity......Page 381
How to Protect Your Service from Malicious Messages......Page 382
How to Protect Your Service from Denial Of Service Attacks......Page 383
How to Validate Parameters with Parameter Inspectors......Page 384
How to Validate Messages with Message Inspectors Using Schemas......Page 385
How to Validate Data Contracts with Message Inspectors Using Schemas......Page 386
How to Validate Message Contracts with Message Inspectors Using Schemas......Page 387
How to Use Regular Expressions to Validate Format, Range, and Length in Schemas......Page 388
How to Validate Outbound Messages on a Service......Page 390
How to Validate Input Parameters......Page 391
How to Use Message Security......Page 392
How to Use Out-of-band Credentials with Message Security......Page 393
How to Publish Service Metadata for Your Clients......Page 394
How to Create a Proxy for an IIS-hosted Service with Certificate Authentication and Transport Security......Page 396
How to Encrypt Sensitive Data in Configuration Files......Page 397
How to Protect Sensitive Data in Memory......Page 398
How to Use Transport Security......Page 399
How to Create a Temporary X.509 Certificate for Transport Security......Page 400
How to Create a Temporary X.509 Certificate for Message Security......Page 401
How to Create a Temporary X.509 Certificate for Certificate Authentication......Page 402
Index......Page 403
How do I decide on an authentication strategy?......Page 406
How do I decide on an authorization strategy?......Page 408
How do I use my existing Active Directory infrastructure?......Page 409
When should I impersonate the original caller?......Page 410
How do I migrate to WCF from an ASMX Web service?......Page 411
How do I migrate to WCF from a COM application?......Page 412
How do I migrate to WCF from a WSE application?......Page 413
How do I enable logging and auditing in WCF?......Page 414
How do I stop my service if there has been an auditing failure?......Page 416
How do I log important business events in WCF?......Page 417
How do I implement log throttling in WCF?......Page 418
How do I use health monitoring feature with WCF?......Page 419
How to I pass user identity information in a message for auditing purpose?......Page 420
Authentication......Page 422
How do I decide on an authentication strategy in WCF?......Page 423
How do I authenticate against a SQL store?......Page 424
How do I authenticate against a custom store?......Page 426
How do I use certificate authentication with X.509 certificates?......Page 427
What is federated security?......Page 428
Authorization......Page 429
What’s the difference between resource-based, roles-based, and claims-based authorization?......Page 430
How do I use the SQL Server role provider for ASP.NET role authorization in WCF?......Page 431
How do I use the Authorization Store role provider for ASPNET role authorization in WCF?......Page 433
What is the difference between declarative and imperative roles authorization?......Page 434
How do I restrict access to WCF operations to specific Windows users?......Page 435
How do I create a service principal name (SPN)?......Page 436
What bindings are available?......Page 437
Which bindings are best suited for the Intranet?......Page 439
How do I choose an appropriate binding?......Page 440
How do I encrypt sensitive data in the WCF configuration file?......Page 441
When should I use a configuration file versus the WCF object model?......Page 442
What are the additional considerations for using WCF in a Web farm?......Page 443
How do I create an X.509 certificate?......Page 444
How do I configure a least-privileged account for my service?......Page 445
How do I implement a global exception handler?......Page 446
How do I define a fault contract?......Page 447
How do I avoid sending exception details to the client?......Page 448
When should I host my service in IIS?......Page 449
Impersonation/Delegation......Page 450
What is the difference between impersonation and delegation?......Page 451
How do I temporarily impersonate the original caller in an operation call?......Page 452
What is constrained delegation?......Page 453
How do I flow the original caller from the ASP.NET client to a WCF service?......Page 454
What is the difference between declarative and programmatic impersonation?......Page 455
When should I flow the original caller to back-end code?......Page 456
How do I implement input and data validation in WCF?......Page 457
What is parameter validation?......Page 458
How do I protect my service from malicious input attacks?......Page 459
When should I use message security?......Page 460
How do I protect my message when there are intermediaries routing my message?......Page 461
How do I avoid proxy spoofing?......Page 462
How do I protect sensitive data in configuration files?......Page 463
How do I protect sensitive data in memory?......Page 464
How do I protect sensitive data from being tampered with on the wire?......Page 465
Do I need to create a certificate signed by the root CA certificate?......Page 466
How do I use X.509 certificate revocation?......Page 467
Overview......Page 468
Step 2 – Enable Auditing for Your WCF Service......Page 469
Step 3 – Enable Logging and Tracing for Your WCF Service......Page 470
Step 6 – Test the Client and WCF Service......Page 472
Step 7 – Verify the Service Events in the Event Log......Page 473
Additional Resources......Page 474
Objectives......Page 475
Overview......Page 476
Step 1 – Create a Certificate to Act as Your Root Certificate Authority......Page 477
Step 3 – Install Your Root Certificate Authority Certificate on the Server and Client Machines......Page 478
Step 4 – Install the Certificate Revocation List File on the Server and Client Machines......Page 479
Step 5 – Create and Install Your Temporary Service Certificate......Page 480
Step 6 – Give the WCF Process Identity Access to the Temporary Certificate’s Private Key......Page 482
Additional Resources......Page 483
Overview......Page 485
Step 1 – Create a Certificate to Act as Your Root Certificate Authority......Page 486
Step 2 – Install Your Root Certificate Authority on the Server and Client Machines......Page 487
Step 3 – Create and Install Your Temporary Service Certificate......Page 488
Additional Resources......Page 489
Overview......Page 491
Summary of Steps......Page 492
Step 1 – Create a Certificate to Act as Your Client Root Certificate Authority......Page 493
Step 3 – Install Your Client Root Certificate Authority on the Client and Server Machines......Page 494
Step 4 – Install the Certificate Revocation List File on the Server and Client Machines......Page 495
Step 5 – Create and Install Your Temporary Client Certificate......Page 496
Additional Resources......Page 497
Overview......Page 499
Step 1 – Create a WCF service......Page 500
Step 2 – Configure the WCF Endpoints to Use TCP and Set the Base Address......Page 501
Step 5 – Modify the Windows Service to Host the WCF Service......Page 502
Step 6 – Install the Windows Service......Page 504
Step 9 – Test the Client and WCF Service......Page 505
Additional Resources......Page 506
Overview......Page 507
Before You Begin......Page 508
Step 3 – Configure the SPN Identity for the WCF Service Endpoint......Page 509
Step 4 – Implement Impersonation in the WCF Service......Page 510
Step 6 – Add a WCF Service reference to the client......Page 511
Step 8 – Configure the Web Application for Constrained Delegation......Page 512
Step 9 – Test the Client and WCF Service......Page 513
Additional Information......Page 514
Additional Resources......Page 515
Overview......Page 517
Step 1 – Create a Sample WCF Service......Page 518
Step 4 – Create a Test Client Application......Page 519
Additional Information......Page 520
Additional Resources......Page 522
Overview......Page 523
Step 1 – Create a Sample WCF Service......Page 524
Step 3 – Create a Class That Implements the Validation Logic......Page 525
Step 4 – Create a Class That Implements a Custom Endpoint Behavior......Page 527
Step 5 – Create a Class That Implements a Custom Configuration Element......Page 529
Step 6 – Add the Custom Behavior to the Configuration File......Page 530
Step 8 – Configure the Service Endpoint to Use the Endpoint Behavior......Page 531
Additional Resources......Page 532
Objectives......Page 534
Step 1 – Create a Sample WCF Service......Page 535
Step 3 – Create the Schema to Validate the Message......Page 537
Step 5 – Create a Class That Implements the Schema Validation Logic......Page 540
Step 6 – Create a Class That Implements a Custom Endpoint Behavior......Page 543
Step 7 – Create a Class That Implements a Custom Configuration Element......Page 544
Step 8 – Add the Custom Behavior to the Configuration File......Page 545
Step 9 – Create an Endpoint Behavior and Map It to Use the Custom Behavior......Page 546
Step 11 - Test the Schema Validator......Page 547
Additional Resources......Page 548
Overview......Page 550
Step 2 – Configure the WCF Service to Use basicHttpBinding......Page 551
Step 3 – Configure basicHttpBinding to use Windows Authentication with TransportCredentialOnly......Page 552
Step 5 – Create a Windows Forms Test Client Application......Page 553
Additional Resources......Page 554
Overview......Page 556
Step 1 – Create a Sample WCF Service......Page 557
Step 2 – Configure wsHttpBinding with Certificate Authentication and Message Security......Page 558
Step 4 – Configure the Service Certificate for the WCF Service......Page 559
Step 6 – Add a WCF Service Reference to the Client......Page 560
Step 8 – Configure the Client Certificate in the WCF Client Application......Page 561
Step 9 – Test the Client and WCF Service......Page 562
Additional Resources......Page 563
Objectives......Page 564
Overview......Page 565
Step 3 – Create a Sample WCF Service......Page 566
Step 4 – Configure wsHttpBinding with Certificate Authentication and Transport Security......Page 567
Step 5 – Configure the mex Endpoint to Use wsHttpbinding with Certificate Authentication Configuration......Page 568
Step 7 – Create a Test Client......Page 569
Step 8 – Create a Svcutil Configuration File in the Client Machine......Page 570
Step 9 – Create a Proxy with the svcutil.exe Tool......Page 571
Additional Resources......Page 572
Overview......Page 573
Step 1 – Create a Sample WCF Service......Page 574
Step 3 – Identify and Configure the Remote Service to Be Accessed......Page 575
Step 4 – Configure the WCF Service Identity Trusted for Constrained Delegation......Page 576
Step 6 – Create a Test Client Application......Page 578
Additional Resources......Page 579
Overview......Page 580
Step 1 – Create a Custom Web Event......Page 581
Step 2 – Create a WCF Service for Monitoring......Page 582
Step 4 – Instrument Your WCF Service......Page 583
Step 7 – Test the Client and WCF Service......Page 584
Additional Resources......Page 585
Overview......Page 587
Step 2 – Create a Sample WCF Service......Page 589
Step 3 – Modify the Windows Service to Host the WCF Service......Page 590
Step 4 – Configure the WCF Service to Use netTcpBinding with Message Security......Page 591
Step 5 – Configure the WCF Service to Publish Metadata......Page 592
Step 8 – Test the Client and WCF Service......Page 594
Additional Resources......Page 595
Overview......Page 596
Summary of Steps......Page 597
Step 2 – Create a Sample WCF Service......Page 598
Step 3 – Modify the Windows Service to Host the WCF Service......Page 599
Step 4 – Configure the WCF Service to Use netTcpBinding with Transport Security......Page 600
Step 5 – Configure the WCF Service to Publish Metadata......Page 601
Step 7 – Create a Test Client Application......Page 602
Additional Resources......Page 603
Objectives......Page 605
Summary of Steps......Page 606
Step 2 – Configure wsHttpBinding with Certificate Authentication and Message Security......Page 607
Step 3 – Create and Install a Service Certificate......Page 608
Step 5 – Impersonate the Original Caller in the WCF Service......Page 609
Step 6 – Configure the WCF Service Identity for Protocol Transition and Constrained Delegation......Page 611
Step 7 – Create a Test Client......Page 612
Step 10 – Configure the Client Certificate in the WCF Client Application......Page 613
Step 11 – Test the Client and WCF Service......Page 614
Additional Resources......Page 615
Objectives......Page 616
Step 1 – Create a WCF Service with Username Authentication Using the SQL Server Membership Provider......Page 617
Step 2 – Create a Role Store for the SQL Server Role Provider......Page 618
Step 4 – Enable and Configure the Role Provider......Page 619
Step 5 – Create Roles and Assign Users......Page 620
Step 8 – Add a WCF Service Reference to the Client......Page 621
Step 9 – Configure the Client to Set RevocationMode to NoCheck......Page 622
Step 10 – Test the Client and WCF Service......Page 623
Additional Resources......Page 624
Overview......Page 625
Step 1 – Create a WCF Service with Windows Authentication......Page 626
Step 3 – Grant Access Permission to the WCF Service Process Identity......Page 627
Step 4 – Enable and Configure the Role Provider......Page 628
Step 6 – Implement Declarative Role-based Security......Page 630
Step 9 – Test the Client and WCF Service......Page 631
Additional Resources......Page 632
Objectives......Page 633
Step 1 – Create a User Store for SQL Membership Provider......Page 634
Step 2 – Grant Access Permission to the WCF Service Process Identity......Page 635
Step 4 – Configure wsHttpBinding with Username Authentication and Message Security......Page 636
Step 5 – Configure Membership Provider for Username Authentication......Page 637
Step 7 – Configure the Service Certificate for WCF......Page 639
Step 11 – Test the Client and WCF Service......Page 640
Additional Resources......Page 641
Contents......Page 642
Summary of Steps......Page 643
Step 2 – Grant Access Permission to the WCF Service Process......Page 644
Step 3 – Create a Sample WCF Service......Page 645
Step 4 – Configure basicHttpBinding with Transport Security and an Authentication Type of “None”......Page 646
Step 6 – Configure the SQL Server Membership Provider in the Web Configuration File......Page 647
Step 7 – Configure the SQL Server Role Provider and Enable It in WCF......Page 648
Step 8 – Create the User and Assign Roles......Page 649
Step 9 – Implement a Custom HTTP Module Class That Derives from IHttpModule to Authenticate Users with the SQL Server Membership Provider......Page 650
Step 11 – Implement a Class that Derives from IAuthorizationPolicy......Page 653
Step 13 – Configure Security Settings in IIS......Page 655
Step 14 – Implement Authorization Checks on Your Service......Page 656
Step 16 – Add a WCF Service Reference and Web Service Reference to the Client......Page 657
Step 17 – Test the WCF/ASMX Client and WCF Service......Page 658
Additional Resources......Page 659
Objectives......Page 660
Step 1 – Create a User Store for the SQL Server Membership Provider......Page 661
Step 2 – Grant Access Permission to the WCF Service Process Identity......Page 662
Step 5 – Configure the Virtual Directory to Require SSL......Page 663
Step 6 – Configure wsHttpBinding for Username Authentication and TransportWithMessageCredential Security......Page 664
Step 7 – Configure the Service to Publish Metadata Securely......Page 665
Step 8 – Configure the Membership Provider for Username Authentication......Page 666
Step 12 – Test the Client and WCF Service......Page 668
Additional Resources......Page 669
Overview......Page 670
Step 2 – Configure the WCF Service to Use wsHttpBinding with Windows Authentication and Message Security......Page 671
Step 5 – Test the Client and WCF Service......Page 672
Additional Considerations......Page 673
Deployment Considerations......Page 674
Additional Resources......Page 675
Overview......Page 676
Step 2 – Create a Sample WCF Service Project with SSL......Page 677
Step 4 – Configure wsHttpBinding for Windows Authentication and Transport Security......Page 678
Step 5 – Configure the Service to Publish Metadata Securely......Page 679
Step 7 – Add a WCF Service Reference to the Client......Page 680
Additional Resources......Page 681
Articles......Page 682
Channel9......Page 683
Documentation......Page 684
Posts......Page 687
Samples......Page 688
Web Casts......Page 689