WCF’s netTCPBinding is “secured by default”. As I understand it this means that..
- Callers are authenticated using their windows credentials.
- Messages are signed
- Messages are encrypted.
However, I can set up a very basic WCF client service set up on my localhost. The authentication will work as its on the same machine, but how does the signing and encryption work?
WCF needs a certificate to sign and encrypt messages. If I dont have a certificate then how does my service manage to work? How does the message – even just going to the same machine get signed and encrypted.
Thanks.
By default the NetTcpBinding uses Transport security, with the default characteristics you list.
Signing and encryption of messages in this context does not mean the same thing as in Message security. Rather it means that all the packets of data sent over the network transport are signed and encrypted. This does not rely on certificates. It is done by security providers installed in the operating system on the sending and receiving machines, invoked via SSPI (Security Support Provider Interface) – the same mechanism involved, for example, when a domain credential is used to access some resource such as a file on a different machine on the network.
Before any application data is sent on a connection, the binding orchestrates an SSPI handshake between the sender and receiver, specifying the
Negotiatesecurity package (this chooses either NTLM or Kerberos as the actual security protocol, depending on the capabilities of the respective host machines). Security tokens are exchanged over the connection as part of this handshake, at the end of which the two sides’ security providers will have agreed session keys for use in the signing and encryption of the ensuing application messages.