WCF Transport security with impersonation

By | July 24, 2015

The post will show the configuration needed to enable net.tcp transport security with impersonation for WCF.

What is transport security?

Transfer security is concerned with guaranteeing the integrity and confidentiality of WCF service messages as they flow from application to application across the network.

What is impersonation?

Impersonation is most commonly used as a way of pretending to be another user as to perform a particular action or to access a resource which can only be the user being impersonated. Impersonation allows the service to act as the client while performing the action.

NOTE: Impersonation can be a potential security hole, so make sure the user being impersonated has limited rights.

What needs to be done to enable impersonation?

  1. If a web client is being used the web site clients requires the following;  the identity element needs to be added to enable impersonation in the web site.
    enableImpersonation
  2. In the configuration files for all clients and services change the net.tcp binding to enable transport security.
    enableTransportSecurity
    (click on the image to enlarge)

    1. Set the security mode to “Transport”
    2. Set the clientcredialtype to “Windows”
  3. In all the configuration files for all clients create endpoint behaviour and assign to the client end points.
    EndpointBehaviour
    (click on the image to enlarge)

    1. Within the endpoint behaviour create a ClientCrediential element
    2. Set to allowImpersonationLevel to “Impersonation”
    3. Define a clientCertificate
    4. Define a serviceCerticate
    5. Define the authentication to use.
  1. Now go to each client end point and add the clientbehaviour.
    clientBehaviour
    (click on the image to enlarge)
  1. Create service behaviour and define the following elements.
    serviceBehaviour
    (click on the image to enlarge)

    1. Define a serviceCredentials element
    2. Define a windowsAuthentication element
    3. Define a serviceCertificate element
    4. Define a ClientCertificate element
      1. Define authentication element
      2. Define a certificate

Leave a Reply

Your email address will not be published.