TransportWithMessageCredentials - I need to know who is knocking on my door.
The point to be noted here is that even though the security facts of comminication like integrity and confidentiality is taken care of by the transport we might not get enough information from the client as to "Who are you?". Now for this case you need to add in some credentials about the clients.
It is exactly for this that the security mode of transport with message credentials might come in handy. Now when using SSL for security, mostly for IIS hosted apps you might require to send the user credentials, windows identity,username etc. This basically can be achieved by specifying the binding as follows.
<wsHttpBinding>
<!-- configure wsHttp binding with Transport security mode
and clientCredentialType as None -->
<binding name="Binding1">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Windows"/>
<transport clientCredentialType="None"/>
</security>
</binding>
</wsHttpBinding>
The point is that there is no credentials required on the transport and the credentials can be send at the message level and WCF would actually identitify the windows credentials used and you can check the ServiceSecurityContext of the current operation context and obtain the identity of the user.
The other points to be noted in this sample https://msdn2.microsoft.com/en-us/library/ms751427.aspx that shows transport security is that the certificate has to be setup on IIS. Please not that
- PermissiveCerticificatePolicy.Encat has to happen for the process to use the sample certs that are created by the scripts and you
- the same SSL certificate has to be set up.
I have modified the sample to show 2 scenarios, one with windows credentials and the other with a custom usename validator.