WCF Security - Https and Anonymous Authentication

Question

We have a service that is currently using basicHttpBinding. We have the flexibility to convert it to netTCPBinding. While deploying it in IIS 7, we are using authentication as Anonymous. The service is accessed by a website hosted in IIS in same network.

Our client raised a concern about anonymous authentication and he doesn't want unwanted users (in the office network) to use it. The point is people can create their own sample website and consume the service.

Suppose I am using Transport Credential Type as " Certificate ", will it meet my requirement? Ie, only users having the client certifcate can access the service? Can you direct me to any article that explains how to implment it?

<endpoint address=""
binding="basicHttpBinding"

I have referred the following http://msdn.microsoft.com/en-us/library/ms731092.aspx

Note:The consuming website in IIS uses Windows Authentication: Enabled, ASP.NET impersonation: Enabled

Thanks

Answer 1

My suggestion is to convert to netTCP and use the certificate authentication . Share the certificate only with the website which access the web service. Below link will help you to achieve the certificate security in WCF

http://www.codeproject.com/Articles/36683/9-simple-steps-to-enable-X-509-certificates-on-WCF

Answer 2

The simplest solution can be you use Http Headers , and put some auth key in the headers when client makes the request. On the server check the request headers for the auth key. If key is not found, fault the service. Check this post which explains how to add headers while creating proxy of the service.

Suggestion

You can remove the meta data endpoint (mex), set httpGetEnabled to false , this way nobody will able to create proxy of the service.

Hope this helps you.