Patterns and Practices: WCF Security Guidance available online

The Microsoft Patterns and Practices team has created a guide for WCF security. You can find more information at the root site


Reliable Messaging and SecurityToken validation

One of the things that have come up many times is how the service could stop a client from retrying a request for a valid security validation error while Reliable Messaging is enabled. If you are not familiar with the situation the essence of the problem is this, Binding on the Service has Reliable Messaging…


Handling Mismatched Trust Versions on the Client

Federation Clients might have scenarios where it is talking to a Service and STS that don’t have the same trust version. The Service WSDL can contain a RequestSecurityTokenTemplate with Trust elements that are in different version than the STS. In these cases a WCF client will convert the Trust elements received from the Service’s RequestSecurityTokenTemplate…


Security element and "actor" attribute.

SOAP 1.1 defines the attribute “actor” that can be on any SOAP header which will indicate who the ultimate processor of the header is going to be. It also defines a standard URI value for this actor attribute that is “” which implies that the header is intended for the very first SOAP application that…


Updated Re-Serialize SAML token

There has been a lot of interest around this and hence I have attached some code listing to this post. Check it out!


Using Visual Studio Intellisense to Edit WCF Configuration files.

If you are using Visual Studio 2005 below is how you can enable intellisense to edit your WCF config files.  Copy the Attached WCF Configuration schema file to your VS installation folder at %Program Files%\Visual Studio 8\Xml\Schemas. You will find DotNetConfig.xsd in the same directory. Open this file in notepad and  following right after the xs:schema…


Daylight savings changes and WCF Security Processing

I had a question today from a customer who was concerned that his WCF application might start to behave erratically due to the new Daylight savings schedule. Then I realized that there has been quite some noise around this area and people are predicting systems to stop responding when the new Daylight savings goes into…


Asymmetric tokens and Mixed-Mode Security

When you are using a X.509 Certificate as the client authentication token in Mixed-Mode Security – apart from signing the Timestamp WCF will sign the ‘To’ header as well. This is to prevent a client spoofing attack by a rougue service. Consider the situation where the client does not sign the ‘To’ header and sends the…


WCF Security Modes

WCF supports three types of Security. They are, Transport Security Mixed-Mode Security Message Security Let’s discuss the various Security Modes below.  Transport Security is applied at the transport byte stream below the message layer. The message does not have a Security header and the message does not carry any user authentication data. It is the…


Security Header Layout

There are four different security header layout that can be specified in WCF. The values are defined in WS-SecurityPolicy. They are, Strict – All security tokens are defined in the security header before its first use. The primary signature should be specified before any endorsing signatures. Lax – All elements inside the security header can…