When Certificates are Required

I'm trying to use a username and password with message security but I'm being told that I need to have a certificate on the client or the server depending on the configuration. Is it possible to send username credentials without issuing a certificate?

The reason a certificate is being specified here is because without an additional security mechanism, the password for securing the message would be transmitted without protection. Anybody could intercept the password on its way to the server. There are several configurations that solve that problem by encrypting the password, for which nearly all of the practical methods make use of a certificate. The most common configuration is to use transport security to protect the exchange combined with the message level credentials. You don’t have to use a certificate here but it would rarely make sense to have username credentials if the other transport security mechanisms are available to you.

In rare cases, you may have some external way to protect the messages such that WCF can't detect the presence of the protection. For example, you could transmit the messages over a secured network, such as a VPN. There is probably still a certificate in that case, but it is buried under other software. Although the messages are secure, WCF rejects the configuration. To work around that problem, you can add a layered channel above the transport that lies about the ISecurityCapabilities of the transport channel so that the level of protection for the message is properly reported.

Next time: No Session Before Sending