I’m going around in circles with regards to WCF and security, so I’m listing some questions here in order to gain a clear picture.

1. I’m interested in getting a better explanation of Transport vs Message level security.

2. I think I have a service running under SSL that will authenticate the user based upon their windows credentials. I also think I understand how to limit access to a service method via the PrincipalPermission. But how do I actually retrieve the current IPrinciple, so I can return different results dependent upon who’s calling the service?

3. I have figured out how to turn tracing on and I can see my trace logs using "Microsoft Service Trace Log Viewer" but ill be damned if I can figure out what Im being displayed. Is there a decent resource explaining how to use this thing?

4. When using the "Certificate" clientCredentialType, is this something different to SSL?

5. When using the "Windows" clientCredentialType how can I see what windows user is being passed through?

6. My requirements mean I have to use basicHttpBindings – Am I correct in assuming:

• I only have Transport level security available to me?
• I can not implement custom username/password for this binding?

Edit

7. How can I add custom SOAP headers to my service in a similar manor to .asmx services? Is this a valid approach?

Edit

Further to the above questions I would like to know if it is possible to authenticate a windows mobile device based upon its windows user by checking against Active Directory. For all that I have found so far it seems unlikely.

N.B. For those who do not know what’s available for Windows CE’s version of WCF it’s: Transport level security only, and either none/certificate for the Client Credential Type. So it seems that CE’s WCF won’t allow this by default but could I securely send this information in the message (via the method signature) and would this be an acceptable way of sending this kind of information?