Home/ Questions/Q 6321499
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T16:09:36+00:00

I’ve developed an application which starts several WCF Service which use the SecurityMode.Message to

  • 0

I’ve developed an application which starts several WCF Service which use the SecurityMode.Message to encrypt the communication.

It’s working, but, it’s very complicate, because we have to generate a SSL cert and put it in specific store, on the server and on the client.

The problem is that the customer which will use the program:

  • Is not in a domain(in fact, the server will certainly be in a domain, but not the client
  • Doesn’t want to buy a cert

So what is my best shot? I only need to encrypt data, I don’t need to ensure that I’m connecting to the right host.

I know I’m not in the best case, but the application will be used by some specific users.

Here is a part of my code which makes the connection:

Server side:

ServiceHost host = new ServiceHost(typeof(MyServiceType))
WSHttpBinding binding = new WSHttpBinding
{
    ReaderQuotas = { MaxStringContentLength = int.MaxValue, MaxArrayLength = int.MaxValue,     MaxDepth = int.MaxValue, MaxBytesPerRead = int.MaxValue, MaxNameTableCharCount = int.MaxValue },
    MaxReceivedMessageSize = int.MaxValue
};
TimeSpan timeoutSpan = TimeSpan.FromMilliseconds(timeout);
binding.CloseTimeout = timeoutSpan;
binding.OpenTimeout = timeoutSpan;
binding.ReceiveTimeout = timeoutSpan;
binding.SendTimeout = timeoutSpan;
binding.ReliableSession.InactivityTimeout = timeoutSpan;

binding.MaxBufferPoolSize = int.MaxValue;
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
host.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, ConfigurationManager.AppSettings["Hostname"]);
host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
host
.AddServiceEndpoint(services[port], binding, String.Format("http://localhost:{0}", port));

Client side:

string remoteAddress = String.Format("{0}://{1}:{2}", Tools.GetDescription(accessInfo.ServiceHost.Protocol), accessInfo.ServiceHost.HostName, accessInfo.PortNumber);


// avoid seralization/deserialization problems with large XML's
WSHttpBinding binding = new WSHttpBinding();
binding.ReaderQuotas.MaxStringContentLength = int.MaxValue;
binding.ReaderQuotas.MaxArrayLength = int.MaxValue;
binding.MaxReceivedMessageSize = int.MaxValue;
binding.ReaderQuotas.MaxStringContentLength = int.MaxValue;
binding.ReaderQuotas.MaxArrayLength = int.MaxValue;
binding.ReaderQuotas.MaxDepth = int.MaxValue;
binding.ReaderQuotas.MaxBytesPerRead = int.MaxValue;
binding.ReaderQuotas.MaxNameTableCharCount = int.MaxValue;
TimeSpan timeoutSpan = DateTime.Now.AddMinutes(30) - DateTime.Now;
binding.CloseTimeout = timeoutSpan;
binding.OpenTimeout = timeoutSpan;
binding.ReceiveTimeout = timeoutSpan;
binding.SendTimeout = timeoutSpan;
binding.ReliableSession.InactivityTimeout = timeoutSpan;
binding.MaxBufferPoolSize = int.MaxValue;

//we set the security type
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;


ChannelFactory<TService> channelFactory = new ChannelFactory<TService>(binding, remoteAddress);

_service = channelFactory.CreateChannel();

Please note that I removed the part concerning my custom auth to have a more clean code

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your customer wants security outside of windows domain = your customer wants certificate. No certificate = no security. That is what you must explain to your customer.

    You just need to have certificate with private key on the server and client must trust that certificate (it doesn’t have to install it if it trust a publisher). What does it mean? You have three options:

    • Your customer must buy certificate from trusted publisher and your clients will simply work
    • Your customer must have its own certificate authority installed which will generate the certificate and clients must have certificate of the authority in their trusted root authorities store (every bigger company has its own certificate authority).
    • You will use self signed certificate in the production. This is “less secure” and not recommended. The less secure means that your client must trust self signed certificate and it cannot validate certificate chain = it cannot validate that certificate was issued by trusted authority and it cannot validate that certificate authority revoked compromised certificate. In this scenario you must install service certificate on each client – it is the only way to trust self signed certificate (installing itself is actually the trust).

    That is the way how security works. You can build your own – you will put a big effort in that but at the end you will still need PKI (private key infrastructure) with asymmetric encryption to make it really secure. Certificates are mostly about wrapping, storing and transferring public and private keys.

    • 0