I am currently using a netTcpBinding with Windows authentication (program written in C#). I will be moving away from the domain authentication (adding new clients that won’t be on the domain) and am looking to set up a certificate security with username/pass authentication. From what I’ve been reading so far, I don’t necessarily need a client certificate (which is good; I won’t be able to install the service’s certificate on every client). My thinking is the along the same lines as navigating to a secure website with a certificate from a trusted CA; it recognizes it’s trusted and doesn’t ask any questions or give any hassle, it just accepts the certificate!

So far I have the service certificate set up (we have a wildcard cert from GoDaddy), however I can’t figure out what changes I have to make to the app.config file(s) to not require the client certificate.

Service app.config:

<serviceBehaviors>
   <behavior name="">
     <serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" />
     <serviceDebug includeExceptionDetailInFaults="false" />
     <serviceCredentials>
       <clientCertificate>
         <authentication certificateValidationMode="None" revocationMode="NoCheck" />
       </clientCertificate>
       <serviceCertificate findValue="*.xxxxxx.com"
                           storeLocation="LocalMachine"
                           storeName="TrustedPublisher"
                           x509FindType="FindBySubjectName" />
     </serviceCredentials>
   </behavior>
 </serviceBehaviors>

Client app.config:

      <security mode="Transport">
        <transport clientCredentialType="Certificate" protectionLevel="EncryptAndSign" />
        <message clientCredentialType="UserName" />
      </security>

I’m aware I’ll have to set up a custom validator for the username portion, but I figure one step at a time. Thanks, and let me know if you need further details.