WCF security TransportWithMessageCredentials with WsHttpBinding

Question

I have my site ( https:// example.com). This is an internet app

1. User can register from the above site-- Completed
2. Register user will get a Email and will have a lick to download a Windows Client( WPF or Windows Form client) – Completed
3. This WPF or Windows form client will consume WCF( deployed in internet) which is hosted on example.com. I am internally passing UserName and Pwd in Message body.—Completed

Now what I need to know is how to implement Security at message level and transport level.

1. The Client request should be encrypted at message level
2. WCF server response should be encrypted at message level
3. Communication between Client and server should be SSL

I have gone through from msdn.microsoft.com/en-us/library/ff648902.aspx

1. How to: Use wsHttpBinding with Username Authentication and TransportWithMessageCredentials in WCF Calling from Windows Forms
2. How to: Use Username Authentication with the SQL Server Membership Provider and Message Security in WCF Calling from Windows Forms
3. How to: Use Certificate Authentication and Message Security in WCF Calling from Windows Forms

After reading above I am confused which one I need to use. Please suggest which one is the best option for my scenario to meet my above three security conditions

If I use TransportWithMessageCredential s do I see encryption at message level and transport level both?

Answer 1

TransportWithMessageCredentials is an encryption/security option used when your WCF web service box is fronted by a load balancer, or reverse proxy, that is performing the SSL/HTTPs encyption work.

In a "normal" situation, where your WCF web service box lies within the logical DMZ, the encryption and client authentication check by the WCF host is done in a single step, and the "bare" request content (unencrypted and without client auth credentials) gets processed by your service.

However, if you've using a load balancer or reverse proxy that's performing the encryption (a good idea for many reasons), using "normal" transport encryption would deliver to your WCF web service a message WITHOUT the client authentication credentials.

So what TransportWithMessageCredentials does is it preserves, inside the message body, the client authentication credentials so that, after the RP/LB has decrypted your message, your WCF web service can in a second step process your client authentication request.

Follow? Basically, if you're using an F5 load balancer, or some reverse proxy, to encrypt/decrypt your messages before they're processed by WCF web service, you need TransportWithMessageCredentials. No load balancer or reverse proxy, no need for TransportWithMessageCredentials.

Hopefully that clarifies things.