The scenario is we have a WCF service that consumes methods from an internal web service that we have built.
The WCF service is very lightweight.
We want to secure this WCF service so only certain clients can consume it (it is currently sitting on a public facing server).
We do not have the ability to install certificates on this public facing server so we are wondering the best securiyt model to use.
Ideally the thought was somehow it can be configured so that the client uses a certificate that the WCF service simply “passes on” to the internal web service as this is on a server we do control and the certificate authentication then happens.
Is this possible..? If not are there any other security options that we could employ..?
Thanks in advance.
I think you have to elaborate your own custom security model.
The main issue to solve is how to share a “secret key” between you and the client.
You can’t install certificate, so you have to store the key in some other place, e.g. web.config inside section … and the distribuite it in a secure way to the client.
You can use this key to sign or encrypt the message; you can also use a standard schema where the password is encrypted.
Check also if you can use some WS-Security features!!!
Moreover checks for Binding authentication and protection schemas offered by .Net Framework.