We have Windows Service with tcp binding. It has a transport security mode and client credential type is Windows. Service is within a domain.
Now we want to make calls to this service from the ASP.NET application running on IIS which is not part of the domain. We don’t need user impersonation. What is the most secure way to enable this sort of communication?
This is a pretty standard situation: Web server is in DMZ and I would like to know how to set a secure communication with WCF backend services.
I expect that it will not work. You cannot use
Windowsclient credential type if you want to consume the service outside of your domain. You must useCertificate(orNonebut it means no authentication).The difference is that
Windowsclient credentials will create stream secured with SSPI whereasCertificateandNoneclient credentials will create stream secured with SSL certificate. In case ofCertificateclient credentials each client will be identified by its own certificate (= you need one for your IIS server).