2
votes

i have a WCF service with wsHttpBinding which my clients are my windows application and my website. both those clients are consumer of the my service. in the my service, i used a Message security and UserName clientCredentialType for clients authentication. i do not want use any certificate for this authentication. how do i? or you suggest to me other solution for this sake?

2

2 Answers

3
votes

WsHttpBinding message security with UserName client creadentials demands server certificate. The only option is to use Windows client credentials but in such case your client and service must be in the same AD domain (or trusted domains). If you want to secure message (encrypt and sign) you need such infrastructure.

Edit:

Based on your comment you don't need message security, you only want to use UserNameToken profile to transport client credentials over insecured channel. This is possible in WCF 4 (and in older versions with special KB). Try this custom binding:

<customBinding>
  <binding name="UsernamePasswordOverHttp">
    <textMessageEncoding messageVersion="Soap11" />
    <security
      authenticationMode="UserNameOverTransport"
      messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
      allowInsecureTransport="true" />
    <httpTransport />
  </binding>
</customBinding>

Be aware that there can be some problem with autogenerating WSDL for such service.

Edit 2:

Another possibility is to use ClearUserNameBidning.

1
votes

thanks for your example. i used your example but i received this error:

The Scheme cannot be computed for this binding because this CustomBinding lacks a TransportBindingElement. Every binding must have at least one binding element that derives from TransportBindingElement.

and other my question: for this solution i use from which project type in VS2010? a WCF Service Library in project or a WCF Service website. which one?

thank you for your answers.