I am using WCF to develop a client-server application. The WCF service is secured using a digital certificate. I am using Message security since I require the client to supply a Membership username/password with any call to the server. The server is hosted by a windows service. I have installed Certificate Services on the production server and used it to create the server authentication digital certificate.
The server’s digital certificate uses sha1 as a hash algorithm with a 1024-bits public key.
The client WCF proxy is generated by Visual Studio (via Add Service Reference). In my client I am using a singleton instance of the WCF proxy.
The problem is that the application’s performance is terrible on my production server (a dedicated cloud server and my local machine acting as a client) when security mode of WCF is set to “Message” or “TransportWithMessage”.
The application is running very fast on my local machine and on my production server when the server and client is on the same machine. This rules out any performance issues related to SQL queries.
To compare performance with and without security. I have used the following operations:
Operations:
- Check Login Credentials: a test function that is called, if an security exception is returned then the credentials are incorrect.
- Get List: a function that returns a list of 11 (EF DbContext) entities.
- Get Record by ID: returns a single entity with some of its “single-multiplicity” navigation properties loaded.
I used WireShark to record the duration and size of data for service calls to these operations. I have repeated the tests for wsHttpBinding with security, netTcpBinding with security, and netTcpBinding without security, here are the results:
The duration for any operation when the client and server is on the same machine is always less than a second.
This is the configuration file of the WCF Server: you will notice I have two bindings and two behaviors, one for secure communication and the other for insecure communication.
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="HS" connectionString="Data Source=.\SQLEXPRESS;Initial Catalog=HS;Integrated Security=True" providerName="System.Data.SqlClient"/>
<add name="HSContext" connectionString="metadata=res://HS.Model/Model.csdl|res://HS.Model/Model.ssdl|res://HS.Model/Model.msl;provider=System.Data.SqlClient;provider connection string="data source=.\SQLEXPRESS;initial catalog=HS;integrated security=True;multipleactiveresultsets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
</connectionStrings>
<system.web>
<compilation debug="true" targetFramework="4.2"/>
<authentication mode="Forms">
<forms name=".HSYAUTH" loginUrl="~/Account/LogOn" cookieless="UseCookies" protection="All" slidingExpiration="true" timeout="2880"/>
</authentication>
<machineKey validationKey="..." decryptionKey="..." validation="HMACSHA256" decryption="AES"/>
<membership defaultProvider="SqlMembershipProvider" userIsOnlineTimeWindow="15" hashAlgorithmType="SHA256">
<providers>
<clear/>
<add applicationName="HS" name="SqlMembershipProvider" connectionStringName="HS" passwordFormat="Hashed" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="6" maxInvalidPasswordAttempts="5" enablePasswordReset="true" enablePasswordRetrieval="false" passwordAttemptWindow="10" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" type="System.Web.Security.SqlMembershipProvider"/>
</providers>
</membership>
<profile>
<providers>
<clear/>
<add name="SqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="HS" applicationName="HS"/>
</providers>
<properties>
<add name="WebSettingsTestText" type="string" readOnly="false" defaultValue="DefaultText" serializeAs="String" allowAnonymous="false"/>
</properties>
</profile>
<roleManager enabled="true" defaultProvider="SqlRoleProvider">
<providers>
<clear/>
<add connectionStringName="HS" applicationName="HS" name="SqlRoleProvider" type="System.Web.Security.SqlRoleProvider"/>
<add applicationName="HS" name="WindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider"/>
</providers>
</roleManager>
</system.web>
<system.serviceModel>
<services>
<service name="HS.Services.HS" behaviorConfiguration="SecureServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="net.tcp://0:808/Services/HS.svc"/>
</baseAddresses>
</host>
<endpoint address="" binding="netTcpBinding" contract="HS.Services.IHS" bindingConfiguration="SecureBinding">
<identity>
<dns value="{my server ip address}"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="SecureServiceBehavior">
<serviceMetadata/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<serviceCertificate findValue="CN={my server ip address}" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/>
<clientCertificate>
<authentication revocationMode="NoCheck"/>
</clientCertificate>
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="SqlMembershipProvider"/>
</serviceCredentials>
<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="SqlRoleProvider"/>
<serviceThrottling maxConcurrentCalls="128" maxConcurrentSessions="128" maxConcurrentInstances="128"/>
</behavior>
<behavior name="InsecureServiceBehavior">
<serviceMetadata/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="SqlMembershipProvider"/>
</serviceCredentials>
<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="SqlRoleProvider"/>
<serviceThrottling maxConcurrentCalls="128" maxConcurrentSessions="128" maxConcurrentInstances="128"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="SecureBinding" receiveTimeout="00:10:00" sendTimeout="00:10:00" closeTimeout="00:10:00" maxReceivedMessageSize="2147483647" maxBufferPoolSize="20000000" portSharingEnabled="false">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
<readerQuotas maxDepth="32" maxArrayLength="200000000" maxStringContentLength="200000000"/>
</binding>
<binding name="NoSecureBinding" receiveTimeout="00:10:00" sendTimeout="00:10:00" closeTimeout="00:10:00" maxReceivedMessageSize="2147483647" maxBufferPoolSize="20000000" portSharingEnabled="true">
<security mode="None">
</security>
<readerQuotas maxDepth="32" maxArrayLength="200000000" maxStringContentLength="200000000"/>
</binding>
</netTcpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
</system.serviceModel>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5"/>
</startup>
</configuration>
and this is the configuration file of the WCF client:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_IHS" receiveTimeout="00:10:00" sendTimeout="00:10:00" closeTimeout="00:10:00" maxReceivedMessageSize="2147483647" maxBufferPoolSize="20000000" portSharingEnabled="false">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
<binding name="NetTcpBinding_IHS_Insecure" receiveTimeout="00:10:00" sendTimeout="00:10:00" closeTimeout="00:10:00" maxReceivedMessageSize="2147483647" maxBufferPoolSize="20000000">
<security mode="None">
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://{my server ip address}:808/Services/HS.svc" binding="netTcpBinding"
bindingConfiguration="NetTcpBinding_IHS" contract="ServiceReference.IHS"
name="NetTcpBinding_IHS">
</endpoint>
</client>
</system.serviceModel>
</configuration>
I have been struggling with this issue since a week without any notable progress. Is WCF with security slow? or is there anything wrong I am doing?
If you are concerned about speed, consider using transport security only. Message body encryption will be much slower than securing the entire channel.