I have created WCF and I have used wsHttpBinding and MTOM as message transport with authentcation as “Windows”.

Now my service is not current SECURE, its plain HTTP, running on custom port.

Is Windows Authentication of WCF’s wsHttpBinding secure? can anyone see the password or guess through network trace?

Environment Information:

1. Hosted on Internet
2. No Active Directory, its single server
3. Connecting from my office with server’s admin username and password
4. On the client side, Password is not mentioned in config file, it is entered at runtime. It works correctly becausing entering wrong credentials returns some sort of security exception as well.
5. Running .NET 4.0, on custom port 89, currently I have set following configuration in app.config of my custom windows service, I am hosting my WCF inside custom windows service installed as Local Service. I have enabled impersonation on each method.

Here is the app.config

  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="metaAndErrors">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
          <serviceAuthorization impersonateCallerForAllOperations="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service name="CustomServiceHost.CustomService"
               behaviorConfiguration="metaAndErrors"
               >
            <endpoint address="" binding="wsHttpBinding"
                  bindingConfiguration="wsHttpLargeBinding"
                  contract="CustomServiceHost.ICustomService"/>
        <endpoint address="mex" binding="mexHttpBinding"
                  contract="IMetadataExchange" />
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost:89/CustomService" />
          </baseAddresses>
        </host>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding
          name="wsHttpLargeBinding" messageEncoding="Mtom"
          maxReceivedMessageSize="2147483647">
          <readerQuotas maxArrayLength="512000"/>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>

Following is client configuration done at runtime,

        WSHttpBinding binding = new WSHttpBinding();

        binding.Security.Message.ClientCredentialType 
            = MessageCredentialType.Windows;
        binding.Security.Mode = SecurityMode.Message;

        binding.MessageEncoding = WSMessageEncoding.Mtom;

        binding.ReaderQuotas.MaxArrayLength = 512000;

        CustomServiceClient cc = new CustomServiceClient(
            binding,
            new EndpointAddress(string.Format(
                "http://{0}:89/CustomService", 
                host.ServerHost))
            );

        cc.ClientCredentials.Windows.AllowedImpersonationLevel 
            = System.Security.Principal.TokenImpersonationLevel.Impersonation; 
        cc.ClientCredentials.Windows.ClientCredential 
            = new NetworkCredential(host.Username, host.Password);

Thank you,
– Akash