A simple WCF service with username password authentication: the things they don’t tell you

The WCF framework is gigantic. It has such an enormous amount of possibilities that it’s pretty easy to get completely lost. For our scenario we needed just a small basic subset. Our application provides a set of services which are consumed by a diversity of clients which have to tell who they are by providing a custom  username and password. There are loads and loads of documents and manuals to be found on the web but I didn’t find anything which gave me the complete story. Most of them follow all kinds of sidesteps in other parts of the rich WCF framework. Things we didn’t need at all, the things we needed to get our stuff to work were either omitted or only mentioned briefly in a comment.

This post tries to describe the full story. It will try to keep quiet on all noise on other cool, but unneeded, features. This information is assembled from a rich variety of stuff on the web and error messages provided by the WCF framework itself. The latter are often quite to the point and provide a lot of essential information. This post is just a kind of cookbook recipe, I don’t claim to understand every detail and would appreciate any comment to further clarify the details.

The service

The service is an ASP.NET service, hosted by IIS and configured in the system.ServiceModel part of the web.config.



      <service behaviorConfiguration="FarmService.CustomerDeskOperationsBehavior" name="FarmService.CustomerDeskOperations">

        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="RequestUserName" contract="FarmService.ICustomerDeskOperations">


        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>



The endpoint address is the root of the IIS site in which it his hosted. To use username authentication you need to use wsHttpBinding. The services functionality is described in the ICustomerDeskOperations contract.

In the binding you specify the credential type as username.



    <binding name="RequestUserName" >

      <security mode="Message">

        <message clientCredentialType="UserName"/>



In the servicebehaviour you set up how the username is going to be validated



    <behavior name="FarmService.CustomerDeskOperationsBehavior">

      <serviceMetadata httpGetEnabled="true"/>


        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="FarmService.Authentication.DistributorValidator, FarmService"/>

        <serviceCertificate findValue="Farm" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>



The username is custom validated. This is done by the FarmService.Authentication.DistributorValidator class in the FarmService assembly. This class inherits from WCF class UserNamePasswordValidator and overrides the Validate method.

public class DistributorValidator : UserNamePasswordValidator


    public override void Validate(string userName, string password)


        if (string.IsNullOrEmpty(userName) || string.IsNullOrEmpty(password))

            throw new SecurityTokenException("Username and password required");

        var repository = new DistributorRepository();

        if (! repository.IsKnownDistributor(userName, password))

            throw new FaultException(string.Format("Wrong username ({0}) or password ", userName));



The method validates the incoming username and password in a repository and throws appropriate exceptions when needed. This is really custom code. As long as you don’t throw an exception the service invocation will be accepted.

So far this could have been a copy of many a story on the web. Except for one detail which is absolutely essential. For username password authentication to work your server hosting the service needs an X509 certificate. Else all service invocations will fail. This certificate is specified in the service behavior.

<serviceCertificate findValue="Farm" storeLocation="LocalMachine" storeName="TrustedPeople"  x509FindType="FindBySubjectName"/>

First you need a certificate. Instead of buying one (which is bound to a specific server address and thereby as good as useless for testing purposes) you can create your own. The .net framework comes with tools to generate these and there are several tutorials how to use these tools. Far more easier is selfcert a pluralsight tool which takes care of the whole process in a couple of clicks.

What they don’t tell you here is that you have to run the tool as administrator, else it will crash most ungracefully. What the tool is also unclear about is where to store the generated certificate. By default it is stored in MyStore. When validating the certificate it’s trustworthiness depends on the location it is stored. When the store is not trusted a chain of validation is started. Instead of setting up a chain of certificates you can also directly store your certificate in a trusted store.


With these settings the certificate is stored in a trusted location. The name and location match the settings in the service behavior

Troubles don’t end here. After a while, like logging in the next time, the service host will start complaining it cannot find the private key of the certificate with a “Keyset does not exist” error message. What happens it that the service no longer has the access right to read the certificate. What helped me was explicitly setting rights on the certificate’s private key file.



Here I am using a blunt axe by just allowing everybody read rights on the certificate’s private key file. I’m no security expert but I am aware this is absolutely not the way to do things. But hey, I only want to build a service, never asked for this certificate stuff and the only thing I want to do here is get that out of the way in the development process.

Now the service is ready to be consumed by a client

The client

To consume this service add a service reference in the client. The mexHttpBinding in the service configuration enables to read all metadata form the service without any credentials.

Setting up a connection to the client requires some fiddling. Again not all of these settings are clear by default.

var endPoint = new EndpointAddress(new Uri(Farm.FarmUrl), EndpointIdentity.CreateDnsIdentity("Farm"));

var binding = new WSHttpBinding();

binding.Security.Mode = SecurityMode.Message;

binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;


var result = new CustomerDeskOperationsClient(binding, endPoint);

result.ClientCredentials.UserName.UserName = Farm.FarmUserName;

result.ClientCredentials.UserName.Password = Farm.FarmPassword;

First we need an endpoint. This is assembled from the url in the client’s configuration, here a constant Farm.FarmUrl. For the custom username authentication to work the endpoint also needs an EndpointIndentity. According to the sparse msdn documentation this is to prevent phishing. The fact that the identity was needed and the parameter had to be the certificate’s name was suggested by the WCF error messages.

The security is set according to the security settings we have seen in the service. Both the username and password are set in UserName property of the ClientCredentails.

Wrapping up

This is it. Now our service and clients are talking. But it took far to much effort to find the right settings. The number is not great, but they all were found to be essential. Finding the right was a process of endlessly weeding out all sidesteps. I hope this well help you to get it done a little faster.


The many useful comments and their possibilities are summarized in this sequel. All misty things in this post are clarified there. Be sure to read it.


This entry was posted in Uncategorized. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • Lisa Roberts

    Nice article. There is also a simple way to do it. It’s not secure but it tells you how it works at core:


  • FrenkyB

    Images are no longer viewable.

  • PeterGekko

    I don’t know, I have no experience at all with this provider.
    Perhaps WCF offers a possibility, if so getting that working could be quite a bumpy road. Personally I would split the two things, WCF and the membership provider. Keeping them agnostic of each other, use this custom provider to pass the credentials obtained from the provider to WCF and stay on top. Don’t have a clue if this is doable.

  • Ammar

    Great Post. But what if i want to use another validator like sqlMembershipProvider, not a custom validator? what should i do?

  • M Shahid Baig

    thanx all of u dear

  • M Shahid Baig

    helo everyone …… i create wcf services but this service is not responding in android application….is there any server stting or application setting ……..plz anyone who know about…… thanx in advance

  • PeterGekko

    Same way. What’s the difference ?

  • Newton


    How do you call this above web service that you have created with username and password in a soap ui project?

  • asdj

    I love you so much right now!

  • Madhu Nair

    Thank You very much for this easy-to-use post!!!!!

  • PeterGekko

    Is it stated in the requirements how Pepe got his certificate and where/how he stores it ? Instead of diving into custom binding it could be more productive to analyse and question that. And perhaps end up with a more standard WCF implementation. Despite all the tools you don’t want to spend all of your time on WCF internals :)

  • Pepe Marino

    You are right Peter. The requirements handed down would read like this story: Pepe authenticates and he is using his certificate. I think that the provided binding classes support one or the other and if I really wanted to implement something like that would need to derive from CustomBinding and bake my requirements into my own binding.

    Going along with the things they do not tell you is that if one enables tracing the log can be viewed with a log viewer. I was viewing the log with Notepadd++ then made a mistake while loading it into Notepad++ and double clicked it instead of ragging and the viewer popped up for my surprise. It is pretty new and it ships with WCF but did not read that anywhere! …or I did not look hard enough I guess.

  • PeterGekko

    The combination of username and certificate sounds strange to me. Like a cert instead of a password ? To assure the cert belongs to a certain person it could be stored in the personal cert store of the given user. Or provided with any other device which is known to belong to that owner.

  • Pepe Marino

    Peter, in my wsHttpBinding I am using TransportWithMessageCredential & ClientCredentialType == Certificate. It works and I am able to validate my cer. Have you heard of the scenario where the client credential type should be UserName and Certificate? The idea is to authenticate the entity using the cetificate and validate that the certificate is the right one.

  • PeterGekko

    Thank you :)

  • Johan

    Thanks. I got my first WCF service using wshttp working, and published on a server connected to the internet. Without this,
    I would not have been able to succeed!

  • bob macleod

    Thanks for taking the time to answer. You have saved me a lot of time.

  • PeterGekko

    AFAIK nothing much has changed. The VS code generated is usually quite hard to modify and doen’t cover “non-standard: scenarios. Like the one described in this post.

  • Bob Macleod

    Thanks for the very useful article. I am just about to begin the process of wiring up a wcf client/server connection, so being as this is now November 2013, I thought I’d just ask if the information in this article is still up-to-date, in case some of it has become unnecessary due to improvements in the .NET Framework or in the way Visual Studio writes nice code for you in the background. So if you indicate that i still need to follow these steps to succeed, I am going to launch the boat and give it a try!

  • aspatdisqus

    Oks got it, thank you so much :)

  • PeterGekko

    That’s a repository for distributors. (Domain model)
    Replace it with your store of username password combinations.

  • aspatdisqus

    Where is DistributorRepository() class in .NET? I searched it on MSDN but was unable to find it there.

  • PeterGekko

    Most likely something is wrong in your configuration. Check you web.config

  • manoj kumar

    hi , i tried your example,i was not able to run it . when i run my web service i was prompted with a login dialog, after entering the credentials (as per validation code is written in custom validator function) , i`m not able to see my wcf service details page,which usually used to come up when   no authentication was used. so can u help me out what i`m missing.

  • Andrezalimaa

    otimo post…

  • http://www.facebook.com/people/Phung-Quang/100003619925813 Phung Quang

    Great editor 

    nha hang tiec cuoi

  • Karamurat0555

    Good article, but it can be more efficient by telling the “reference list” to run the code. For example, to use UserNamePasswordValidator class you need to add the both below references,
    using System.IdentityModel;using System.IdentityModel.Selectors;

  • M S Ansari123

    Great post..

  • http://www.bantayso.com/ thiet ke web

    that’s all i need. let’s keep up your work.^^

  • Carlo Matriano

    Thanks. I read the 2nd sequel and saw the difference of transport and message. So I tried to make the security mode to be Transport, and I get another exception, which I guess is progress. :) My question is, do I set the clientCredentialType to be Certificate? When I do so I assume it will follow the attributes set at the serviceCertificate node. Thanks again.

  • Anonymous

    That looks like to be exactly what is needed. Working with username/password security you are securing the message itself. Instead of relying on secure transport (https).

  • Carlo

    that’s what I have guessed, but I have tried a lot of things already and checked line by line. :) Any advice on what part of the config I have to focus on narrow my search the only thing I guess that I have not done is move security mode=”Message” to transport… 

  • Anonymous

    That’s web.config hell :(
    Check the web.config’s on your server to find out what’s missing…

  • Carlo Matriano

    Good article. It works for me at my development machine, however when I deploy to our test servers with SSL, I get the 
    Could not find a base address that matches scheme http for the endpoint with binding WSHttpBinding. Registered base address schemes are [https]
    exception. Would you have ideas or direction on how I would work around this?

  • http://www.bantayso.com/tim-kiem/tag/cong+ty+seo cong ty seo

    I suggest changing adding the word “message security, certificates” to the title, I had to do this the hard way too, I was looking for a free ssl tool when stumbled upon this post. It would’ve been much less painful if I found it when started!

  • Polo

    Awesome post.

    Helped me a lot. Keep up the good work.

  • http://twitter.com/CTSNI CTS-NI.COM

    Great Post. With the help of articles like this and a few others, I got up and running in just a couple of days from scratch, in what I now believe might have cost me a month.  Much Appreciated. Hoping some day I can pass forward the knowledge…

  • Anonymous

    Did you read the sequl of this post ?
    In the end it’s not that complicated

  • Charlie Barrett

    It;s times like this that I long for a good old client/server Winforms app, where the only thing remote is the SQL Server.

    I’ve spent 2 months trying to figure out this security mess,,, and what a mess it is – First 75% of the time mixing up all the different Microsoft security schemes of the month and wondering why all the examples seems to contradict each other.

    I’ve read about this WCF stuff all day (only today did I discover it) and still can’t figure out what to do.

    I’m very tempted to just roll my own weak encryption minus the certificate mess, using timestamps appended to them so they’re never the same like we did in the 1980’s, and just compare the usernames & passwords myself in code.

  • Anonymous

    The first post in this series starts with the raison d’etre of this kind of authentication. To summarize:
    – SSL does not guarantee the whole trajectory between client and server app. As you say yourself, you have an unencrypted clear text password in your soap header. You cannot guarantee this soap header to be hidden from prying eyes before it enters and after it leaves the secure connection.
    – SSL just does not work in Cassini. You don’t want to setup and maintain a local IIS just because you need to test using https instead of http.

    It is somewhat a PITA to work with username/password authentication. I hope my posts make clear it is not that difficult as it seems.

  • Andy

    Hi all, can someone explain why most of these examples use X509 certificates, and what advantage they give you?
    My experience of working with certificates is that it’s like pulling teeth. Instead, I develop WCF services using “TransportWithMessageCredential” (SSL) security as I’m conscious that the username and password is passed in the SOAP message as clear text, so using SSL should secure this from snooping. Or am I missing something? What does X509 give you?

  • http://www.guardsecurity.ca Emergencey Response

    Really WCF framework is gigantic?

  • http://twitter.com/DriesHoebeke dries hoebeke

    Thanks a lot for this post. It was very helpful :-)

  • http://twitter.com/tevest tevest

    I suggest changing adding the word “message security, certificates” to the title, I had to do this the hard way too, I was looking for a free ssl tool when stumbled upon this post. It would’ve been much less painful if I found it when started!

    Great post

  • Anonymous

    What are you missing ?

  • Nupur

    Thanks once again.I know I am becoming a bit more greedy but could you please provide me the sample or any example for implementing the same.

  • Anonymous

    You can only do that provided both methods are a member of the same service and that service supports sessions.
    It’s far easier to store the username – password combination in the client code and add it to the service request. As explained in the post. And that will only work as long as each service accepts the same username password combination.

  • Nupur

    First of all Thanks for the reply sir.But I want to correct my self as in my previous post I mistakenly mentioned there to call another service instead my need is to call another method of same service without re-authenticaton could you help me in this and please provide me the step by step guidance on how to do it

  • Anonymous

    Good day to you,

    A service is usually stateless, that is it does not associate one invocation with a previous one and requires supplying the credentials every time.
    Which does not prevent you from caching the credentials in your client software after the user has entered them once.

  • Nupur

    Hello Sir,
    I have done till here and everything is working fine but my need is to prevent re-authentication of client for subsequent service calls as the client is already authenticated for the initial service call,he should provide access rights for subsequent service calls without re-authentication…..

  • Pingback: A simple WCF service with username password authentication: the … | Retrieve Password

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    The link in your comment is broken: this should be the right one:


    The problem with certificate store I describe here can quite easely be fixed with the windows http cert tools

    as described in the sequel on this post:


  • Wil

    Here is a good article on using certificates without a certificate store. Although it has config classes for loading the client and server certificates from the file system, I actually use the certificate store for the service host machine and I load the client certificate from the file system using the code from this article. http://www.codeproject.com/KB/WCF/wcfcertificates.aspx

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen


    1. The service has to be running. Can be done by selecting “View in Browser” on .svc

    2. Easiest way is to run makecert again on the server. Else check for the administration of certificates on the server. Is on IT mangement issues.

    3. Don’t worry, no work needed here :)

  • aaav

    I am testing the WCF service and client locally.
    1) how do i find the address the web service is hosted locally. I tried address=”http://localhost/MyService.svc” and i get error that there is no endpoint listening here.
    2) Once I get this working, and ready to move to server… How do I make the certificate on the server(test certificate) ?I used makecert locally.
    3) when the certificate is there on the server… how does the client gets that? do i have to export the certificate from the server to the client ? please explain.

  • http://www.clickssl.com Cheap SSL

    I am adequate coz i am accepting all the answers of my questions after allurement here.

    Thanks for this excellent sharing.
    Keep it up!

  • http://w3mentor.com ram

    thank for this wcf article. will use it on http://w3mentor.com

  • http://www.ssllogic.com/ SSL Certificates

    a long discussion in going on,, I am enjoying coz i am getting all the answers of my questions without asking here. Cheers.

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    Looks like the default endpoint, as imported when adding the service reference, binds to a version of the service which can be consumed without credentials. Perhaps your old version of the service is still floating around ?

  • cav

    Got it working (typo in the config). However I’ve noticed that if you use the override for the service that doesn’t proved the binding and endpoint, it still works. ie instead of

    var result = new CustomerDeskOperationsClient(binding, endPoint);
    result.ClientCredentials.UserName.UserName = Farm.FarmUserName;
    result.ClientCredentials.UserName.Password = Farm.FarmPassword;

    you can just use

    var result = new CustomerDeskOperationsClient();

    doesn’t this negate the whole point? Or have I done something wrong?

  • cav

    OK, I had a nice little WCF serfvice app running and tried to lock it down with this article.
    After following all the steps, my Service is no longer being found when I try to add a Service Reference. Where do I even start debuggin this?

  • cav

    Found it. If you type into the combos of SelfCert it gives the error. you have to pick from the list instead.

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    That should have been part of this

    as well.

    SelfCert shines but the exception handlings just sucks :( It does come with sourcecode. Be their guest :)

  • cav

    Anyone else getting the good ol'”object reference not set to an instance of an object” while running self-cert? I’m running in Windows 7 (as admin).

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    I don’t think setting an attribute on the methods will work. You have to get past the Valoidate method first.

    Custom headers with username password ? Why would you want to do that ? Sounds like reinventing the WCF wheel. And it makes switching to another mode of authentication/authorization very hard.

    What we do is catch the user credentials in the validate method and use them where needed in the implementation of th service.

  • Henning

    That doesn’t sound to good for me.

    What I initially planned to do was to use a custom Authenticate attribute that I put on the webservice methods and validate the credentials there. The bad thing about this is that I have to make my own custom header message, such as Username and password.
    Is this something you would do in my case?

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    Validate is called just before anything else. So the configuration will not be right yet. I bumped into the same issue myself. What I did was fire off the configuration in my Validate method. Which will not work in your case, as your intention is to inject an implementattion. Chicken and egg..

    I can imagine this being pretty hard. From a hacker’s perspective it might be interesting to do just that. WCF is pretty hard to hack. So hard it is pretty hard to use as well :)

  • Henning

    Thanks for your answer. I got it to work, but hit a rather boring snag.

    As far as I can tell, the Validate method is called before pretty much everything. That poses a problem with my Unit of work. We use nhibernate and in our webclient it automatically saves failed attemps and locks the account after X number of failed attempts.
    When I try to do something similar with your solution my unit of work hasn’t been initialized yet, and therefore does not save the User.

    My current Unit of work solution creates a class that inherits from IInstanceProvider and Commits the session on ReleaseInstance. However, when the validation failes, i.e an exception is thrown, the method is never called. In fact, GetInstances is not called as well.

    Do you have a solution for this?
    If I can’t find a solution to this I have to find another way, like using an Attribute.

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    Same problem, it’s client side

  • Adrian

    You can get rid of the certificate if not needed using this:
    ServicePointManager.ServerCertificateValidationCallback += HandleCertificationCheck;
    public static bool HandleCertificationCheck(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    return true;

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    AFAIK you set that property on the client. For the service to be hosted in a webserver, “Show in browser” on the svc, the webserver still needs to be able to read the certificate. Which does not free me from the uggly fiddle.

    Why not ? It’s just a piece of code like any other other.

  • Henning

    Is it possible to inject a validation service in the constructor of the DistributorValidator?

    We use dependency injection almost everywhere, Jimmy Bogard style, and would preferably not use Service location in the Validator.

  • http://webservices20.blogspot.com/ Yaron Naveh

    In development I think it is best to set certificateValidationMode to false.

    As for CUB, the main motive was actually interoperability with non Wcf clients / servers, as some natively allow clear user / pass. If you expect unknown Wcf clients I agree you should stick to plain vanilla.

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    Thanks Yaron.
    I was naive in hoping I could keep the client unaware of the CUB class. Except from the name in the config. As we will also have 3d party customers, who will create their own clients, I don’t want to introduce them to more than “plain vanilla WCF”.

    I don’t have a big problem with a (bought) certificate in the production environment. My only real problem with real certificates is that they are bound to a specific URL. And that makes it a problem in development.

    The problem with SSL is that it (AFAIK) doesn’t work with Cassini. And it introduces a configuration maintenance complexity in production. We will have internal and external clients.

    For now I will stick to plain http with a fiddled certificate in development and a straightforward one in production.

  • http://ornatsky.blogspot.com Dmitry Ornatsky

    @pvanooijen, you could use makecert to create SSL certificate for development env.


  • http://webservices20.blogspot.com/ Yaron Naveh

    You should instantiate the class ClearUsernameBinding. Anyway if this is important for you to be able to work w/o x.509 I can help you with it – I have a lot of experience with Wcf security.
    BTW the way to debug Wcf security issues is by turning on the Wcf trace on the service. In many cases it will give you extremely useful analysis.

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    Yaron. The sample is OK.

    As you can see in the post I’m building my own endpoint from code. So I have to do my own binding as well.
    What was unclear to me is what binding type I have to instantiate. All things I tried all resulted in “There was an error with the message security”

  • http://webservices20.blogspot.com/ Yaron Naveh

    @pvanooijen – what exact error did you got with CUB? It comes with a working sample. If you try to use it with a specific server you can customize the soap version or any other setting.

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    @Dmitry. I gave cUB a(nother) short spin. Again I bumped into a misunderstanding between Client and server about the protocol to be used.

    Transport security is not an option. In the production environment buying a site specific certificate is not a big problem. For development we’ll keep using this “weeded” garden.

    @Arnis: yes, it’s all about gardening :)

  • Arnis L.

    Co-worker said that certificate is not necessary if DnsIdentity is not used and this can be simplified or something. But I might misunderstood him and it doesn’t change whole point of blog post anyway – using WCF is constant ‘weeding of sidesteps’.

  • http://ornatsky.blogspot.com/ Dmitry Ornatsky

    @pvanooijen ,
    And as for BasicHttpBinding part, do you really need ws-security?
    You actually can authenticate against custom users storage with basicHttpBinding, just use Transport security mode.

  • http://ornatsky.blogspot.com/ Dmitry Ornatsky

    @pvanooijen, don’t use clearUsernameBinding in scenarios like this. It’s intended to help when confidentiality and integrity is ensured in a way that WCF stack is unaware of, like, when SSL is handled by network hardware. Otherwise, you’ll end up transmitting credentials in plain text.

  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    Clearusernamebinding http://webservices20.blogspot.com/2008/11/introducing-wcf-clearusernamebinding.html
    is not part of the WCF framework itself. I guess it’s born out of the samen kind of frustration 😕

    @Szymon: the WCF customusername authentication requires wsHttpBinding. No choice..

    I think I will give clearusernamebinding a try. It sounds promissing.

  • http://simon-says-architecture.com/ Szymon Pobiega

    Why are you using wsHttpBinding instead of basic one? Do you have some strong reliability-related requirements?

  • http://webservices20.blogspot.com/ Yaron Naveh

    With WCF clearUsernamebinding you can send a username withtout an X.509 certificate:


  • http://wrtwt ertwre


  • http://codebetter.com/members/pvanooijen/default.aspx pvanooijen

    Having a certificate server at hand is beyond my possibilities. I have to be able to do development work on a machine detached from it’s home domain. FI working at my customer’s location.
    I don’t always have a live IIS at hand too. This works on a Cassini server. Does the SSL alternative work there ?
    If so, it sounds like an alternative for development. But SSL is no option for deployment, so that would be switching (and testing..) to the configuration (with a real trusted certificate) described. Without the fiddling :)

  • http://mynerditorium.blogspot.com Daniel Auger

    As Heather said, using SSL instead of x509 certs makes things much more straight forward. Additionally – in .NET 4.0 and 3.5 (via a hotfix), you no longer need SSL all the way to the IIS server, meaning you can do SSL at an appliance level. This ability was added via the AllowInsecureTransport property – http://support.microsoft.com/kb/971831 .

  • http://heathermclean.net/ Heather McLean

    Easier than dealing with the certificate mess, I just use TransportWithMessageCredential as the security mode. Then all you need is an SSL connection. Our QA and production environments are already setup for SSL, so no hassles there – if I have to test locally, I can set it up once for my entire IIS installation using a self-signed certificate.

  • DaRage

    WCF is stupid

  • http://johannes.hansen.name/ Johannes Hansen

    @paper1337: Sure certificates are a hassle to work with. However you can ease the pain slightly by using a certificate server which is trusted on domain members machines automatically using group policy config. This way you don’t have to distribute test/dev certs between developer machines.

  • paper1337

    And we wonder why so many developers resort to using isAdmin=true in the query string…