WCF transport security with no authentication

6
votes

Is it possible to have transport security without authentication? I'm well aware of it's flaws but atm I can't install a certificate a the client side. It seems I can set WSHttpBinding.SecurityMode to Transport and the ClientCredentialType to HttpClientCredentialType.None, but when I try to call the service I get this exception:

An error occurred while making the HTTP request to https://[MyService]. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.

I don't think it's a mismatch of the security binding between the client and the server because I'm using a proxy generated by svcutil.

Why's it looking for a server certificate if I've set the ClientCredentialType to None?

3
wcfsecurityauthentication
In addition to my answer below, there are other hurdles if you are hoping to rely on something like an ISA server to perform your HTTPS encryption, rather then the IIS server that hosts your webservice. If that is your requirement that might be best to go into a fresh question.David Hall

3 Answers

6
votes

You can have HTTPS communication without authentication, but you cannot have HTTPS communication without certificates, since HTTPS encryption uses certificates.

There are a few things to check:

  1. Can you access the WSDL or another resource on the site over HTTPS in a browser?
  2. Do you get any warnings about the certificate when doing so?

If you can't access the WSDL or another resource on the site over HTTPS, then HTTPS isn't configured on the server.

If you get warnings about the certificate, then you don't have a certificate that the client will trust. There are three options here; one is to get a valid certificate from somewhere like Verisign that will be trusted, the other is to install the certificate in a trusted part of the user's store (which you can't do as you mentioned), and the final is to turn off the cerificate revocation in the client's WCF configuration.

1
votes

What you have set up looks correct for what you want.

I think that the problem relates to the difference between the certificate needed to ensure transport level security (HTTPS) and any certificate needed for authentication.

To perform transport level security you need to configure a certificate for the IIS server to use for its encryption. This is in no way used to identify parties in the WCF communication, just to secure the communication. (the certificate used for this HTTPS transport is also used to identify the server but that isn't related to WCF identity)

Here is a link to a blog post explaining how to set up a certificate in IIS for this purpose. Not necessarily the best google has to offer, just the first I found that covered all the important points. MSDN should cover this in detail too.

0
votes

I had the error you describe even though the security mode was set to transport and client credential type was set to none.

This was due to the fact that my web service URLs had been created by the Visual Studio 2010 service reference creator as http://www.myservice.com:80/myservice.asmx with a specific port 80. When I changed this to http://www.myservice.com/myservice.asmx the binding worked correctly.