WCF Security Concepts

Security Concepts

WCF has two types of security options

1. Transport Security – Secures the entire communication channel(SSL/TLS)

2. Message Security – Secures each message individually

WCF key security features

1. Auditing – Wcf provides effective logging. This is key to non-repudiation.

2. Authentication – Allows you to identify clients of your service.

3. Authorization – Determines the resources on which client has access to.

4. Confidentiality – Makes sure that data is accessed only by intended user. Achieved by encrypting the message.

5. Integrity – Ensures that data is not tampered while it is transfered. Achieved by signing the message.

Available security options of a service are determined by the bindings used.

1. BasicHttpBinding provides no security by default.

2. netTcpBinding provides transport security with windows authentication

3. wsHttpBinding provides message security with windows authentication

Transport Security

Use in following scenarios

1. Sending message from application directly to WCF Service and not routed through intermediate systems.

2. Both service and client are located in intranet.


1. Provides interoperability

2. Better performance


1. Security is applied point to point

2. Limited set of credentials compared to message security

3. Dependent on underlying platform

Message Security

-Use in following scenarios

1. Message will be routed through


1. It provides end to end security

2. It provides partial message encryption thereby improving the performance

3. Message security is transport independent and hence can be used with any transport protocol

4. It supports wide set of credentials


1. Low performance compared to transport security

2. Does not support interoperability with older asmx clients

Protection levels

1. None – Disables message protection

2. Sign – Sign but doesn’t encrypt message. Should be used when data integrity is important

3. Encrypt and Sign – Signs and encrypt message.


string GetData(int value);


The service and client need to be in same domain when using windows authentication.

1. None: WCF does not authenticate the client.

2. Basic: Available with HTTP protocol only. The client is authenticated by using username password against active directory. The username password are sent in clear text.

3. NTLM: Avaliable with HTTP protocol only. The client is authenticated by uisng challenge response scheme against windows account.

4. Windows: Used NTLM or Kerberos authentication mechanism.

5. Certificate: Client is authenticated by using a certificate.

Setting up security mode

    <binding name="wsHttpEndpointBinding">
      <security mode="Transport">
    <binding name="wsHttpEndpointBinding">
      <security mode="Message">


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s