Home/ Questions/Q 7010509
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T21:59:59+00:00

I’m a bit lost concerning WCF Server authentication… I’m writing a WCF service that

  • 0

I’m a bit lost concerning WCF Server authentication…

I’m writing a WCF service that will be accessed by multiple clients.
I want to make sure that the client apps always connect to this service and not some hoax version implementing the same ServiceContracts.

Important note: the service runs on the customer’s server and will act like some kind of authorization service, only allowing X number of clients (on other machines) to be running at same time. Therefore I don’t want this service to be bypassed by a duplicate which always allows all clients to run at the same time.

As far as I can find on the interwebs, all solutions suggest using a server certificate for the WCF service identity. But how will that stop someone from still implementing a fraudulent service on the same machine using that same certificate?

The service will run on the customer’s server, so they are able to run services on it. The service will act like some kind of authorization service, only allowing X number of clients (on other machines) to be running at same time. Therefore I don’t want this service to be bypassed by a duplicate which always allows all clients to run at the same time.

Am I missing something here (and I feel I am)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    But how will that stop someone from still implementing a fraudulent service on the same machine using that same certificate?

    First of all if you deploy the service working with confidential data on any machine it is expected that you have control over the machine. The client mostly verifies that communication is established with trusted server and client believes that you made your best to secure the server.

    How will it stop someone to abuse your server? You will secure your server and you will put private key for certificate into correct certificate store. Only specified account running your service (and admins) will have access to that private key so malicious user will not be able to use it. Sure this expects that you trust your admins and for example that you collect all audits to be able to verify what have admins done.

    Certificate is also issued for some particular host name so if your service application has assigned it as a host header it should not be available for any other application on the same server.

    Trust with admins is usually established by some agreement with enormous penalties if confidential data are misused.

    • 0