Click here to Skip to main content
15,884,986 members
Articles / Web Development / ASP.NET

6 Steps to Implement DUAL Security on WCF using User name + SSL

Rate me:
Please Sign up or sign in to vote.
4.93/5 (22 votes)
20 May 2010CPOL7 min read 113.7K   2.8K   117   12
6 steps to implement DUAL security on WCF using User name + SSL

Table of Contents

Introduction and Goal

In the article, we will try to apply DUAL security using transport plus message on WCF services. So we will first try to understand the basic concepts of WCF security, i.e., transport and message. Once we understand the concept, we will move step by step into how to implement SSL and user name security on WCF services.

In case you are a complete fresher to WCF, you can start from here.

Image 1

Basics Transport and Message Level Security

On a broader basis, WCF supports two kinds of security - transport level and message level security. Transport means the medium on which WCF data travels while message means the actual data packets sent by WCF.

Transport medium can be protocols like TCP, HTTP, MSMQ, etc. These transport mediums by themselves provide security features like HTTP that can have SSL security (HTTPS). WCF has the capability of leveraging underlying transport security features on WCF service calls.

Message level security is provided in the data itself using WS-Security. In other words, it’s independent of the transport protocol. Some examples of message level security are messages encrypted using encryption algorithm, messages encrypted using X509 certificate etc, messages protected using username, etc.

WCF gives you an option to either just use message level security in standalone, transport level in standalone or combination of both. If you are interested in how to do message level security and transport security in a standalone manner, you can read more from here.

Image 2

The best security is the combination of transport and message. In this article, we will see step by step how to implement dual security using ‘SSL’ plus message security using ‘Username’ using ‘WsHttpBinding’.

Image 3

Step 1: Customize ‘WsHttp’ Bindings with Security Mode and Credential Type

The first step is to customize your ‘Wshttp’ binding with proper security mode and credential type. There are three options in security mode ‘Transport’, ‘Message’ and ‘TransportWithMessageCredential’.

As we are implementing dual security, we need to use the last one, i.e., ‘TransportWithMessageCredential’ where the transport security is provided by SSL and message security is provided using ‘UserName and password’.

Image 4

The second thing we need to provide is the credential type. There are five different credential types - none, windows, username, certificate and issued token. Credential type defines how the credentials will be passed over the transport layer. For the current instance, we will select ‘UserName’.

So summing up, we will provide security mode as ‘TransportWithMessageCredential’ and message security will be provided by ‘UserName’.

So create a WCF service using the WCF service template and in ‘web.config’ provide the security mode and credential type as shown in the below code snippet:



<binding name="Binding1">
<!-- UsernameToken over Transport Security -->

<security mode="TransportWithMessageCredential" >
<message clientCredentialType="UserName"/>





Step 2: Create your Custom Validator Class

Once we have customized the ‘WsHttp’ binding with security mode and credential type, it’s time to create the custom class which will do authentication of the user name provided.

In order to create your custom class, you need inherit the ‘UserNamePasswordValidator’ class which belongs to ‘System.IdentityModels.Selector’.

Image 5

Below goes the code snippet of ‘MyValidator’ class. We need to override the ‘Validate’ method with the authentication logic as shown below:

class MyValidator : UserNamePasswordValidator
public override void Validate(string userName, string password)
if ((userName == "shiv123") && (password == "pass123"))
throw new FaultException("Invalid credentials");

If the credentials are not proper, we have raised the ‘FaultException’ error which can be caught by the WCF client to display error messages.

Step 3: Define Runtime Behavior

So we are almost 50% through now. We have customized the ‘WsHttp’ binding and created our custom class ‘MyValidator’ which will do the necessary authentication. The next step is to define behavior.

Behaviors’ define customized run time logic over the binding agreement. Currently we need to execute ‘MyValidator’ class logic for the ‘UserName’ provided in the WCF service by WCF client.

Image 6

To specify the behavior, go to your ‘Web.config’ file and in the ‘servicecredentials’ tag, specify the ‘userNameAuthentication’ tag which points to the custom class ‘MyValidator’.



<userNameAuthentication userNamePasswordValidationMode="Custom" 
	customUserNamePasswordValidatorType="MyValidator, app_code"/>


Step 4: Define SSL for your WCF Service

We have already mentioned transport security will be provided by SSL while message security will be provided by ‘username’. We have already configured ‘UserName’ message security using ‘MyValidator’ class which is specified in the behavior section of ‘web.config’ file. The next step is to configure SSL, i.e., transport security for our WCF service.

We will be using ‘makecert.exe’ which is a free tool given by Microsoft to enable HTTPS for testing purpose. MakeCert (Makecert.exe) is a command-line tool that creates an X.509 certificate that is signed by a system test root key or by another specified key. The certificate binds a certificate name to the public part of the key pair. The certificate is saved to a file, a system certificate store, or both.

You can get the same from “C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin” or you can also get it from Windows SDK.

You can type the below thing through your DOS prompt on “C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin”. Please note “compaq-jzp37md0” is the server name so you need to replace with your PC name.

makecert -r -pe -n "CN= compaq-jzp37md0 " -b 01/01/2000 
-e 01/01/2050 -eku -ss my -sr 
localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

If you run the same through your command prompt, you should get a succeeded message as shown below:

Image 7

Now it’s time to assign this certificate to your IIS website. So go to IIS properties, click on directory security tab and you should see server certificate tab.

Image 8

So click on the server certificate tab and you will then be walked through an IIS certificate wizard. Click ‘Assign an existing certificate’ from the wizard.

Image 9

You can see a list of certificates. The “compaq-jzp37md0” certificate is the one which we just created using ‘makecert.exe’.

Image 10

Now try to test the site without ‘https’ and you will get an error as shown below… That means your certificate is working.

Image 11

Do not forget to enable IIS anonymous access.

We also need to make a couple of changes in the WCF service ‘Web.config’ ‘endpoint’ section as shown below. You can see how the address points to HTTPS and binding uses ‘mexHttpsBinding’.

<service name="Service" behaviorConfiguration="ServiceBehavior">

<endpoint address=https://localhost/Service.svc 
binding="wsHttpBinding" contract="IService" bindingConfiguration="Binding1">

<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>


Step 5: Consume WCF Service

It’s time to consume WCF the service application. So click on add service reference and specify your service URL. You will be shown a warning box as shown in the below figure as the certificate is a test certificate. So just let it go.

Image 12

The next step is to create WCF proxy client object and pass the credentials as shown in the below snippet:

ServicePointManager.ServerCertificateValidationCallback = 
	new RemoteCertificateValidationCallback(IgnoreCertificateErrorHandler);
ServiceReference1.ServiceClient obj = new ServiceReference1.ServiceClient();
obj.ClientCredentials.UserName.UserName = "shiv123";
obj.ClientCredentials.UserName.Password = "pass123";

makecert.exe’ creates test certificates. In other words, it’s not signed by CA. So we need to suppress those errors in our ASP.NET client consumer. So we have created a function called as ‘IgnoreCertificateErrorHandler’ which returns true even if there are errors. This function is attached as a callback to ‘ServicePointManager.ServerCertificateValidationCallback’ as shown in the above code snippet.

public static bool IgnoreCertificateErrorHandler
	(object sender, X509Certificate certificate, X509Chain chain, 
	SslPolicyErrors sslPolicyErrors)
return true;

Step 6: Run your WCF Service

If everything goes appropriately, you should be able to run the WCF service. Try changing the use rid and password to something else you should get the fault exception message provided in the ‘MyValidator’ class.

Image 13

My Other WCF Articles

  1. WCF FAQ Part 5 – Transactions
  2. WCF Tracing FAQs
  3. 8 steps to enable windows authentication on WCF BasicHttpBinding
  4. Difference between BasicHttpBinding and WsHttpBinding
  5. 9 simple steps to enable X.509 certificates on WCF
  6. 7 simple steps to enable HTTPS on WCF WsHttp bindings
  7. 6 Steps to Enable Transactions in WCF
  8. WCF FAQ Part 5 – Transactions
  9. 4 steps to enable instrumentation in WCF
  10. WCF FAQ Part 3 – 10 security related FAQ
  11. Windows Communication Foundation FAQ quick starter Part 1
  12. Windows Communication Foundation FAQ quick starter Part 2


  • 20th May, 2010: Initial post

For further reading do watch the below interview preparation videos and step by step video series.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By
India India

Comments and Discussions

SuggestionTitle is misleading Pin
Amir125471-Jul-14 3:49
Amir125471-Jul-14 3:49 
QuestionWithout Certificate? Pin
hulinning5-Oct-12 10:48
hulinning5-Oct-12 10:48 
QuestionGetting There was no endpoint listening Pin
Code Addictive25-Jun-12 17:01
Code Addictive25-Jun-12 17:01 
QuestionDUAL Security on WCF using User name + SSL Pin
vivek A S15-Mar-12 0:13
vivek A S15-Mar-12 0:13 
GeneralQuestion Pin
Alireza_136220-Feb-11 7:13
Alireza_136220-Feb-11 7:13 
QuestionClient in local network can't access to wcf service? Pin
HamidMoghadam13-Nov-10 5:55
HamidMoghadam13-Nov-10 5:55 
AnswerRe: Client in local network can't access to wcf service? Pin
HamidMoghadam13-Nov-10 18:01
HamidMoghadam13-Nov-10 18:01 
GeneralWCF Security With Custom Userid and Password Pin
Member 21559279-Jun-10 21:44
Member 21559279-Jun-10 21:44 
GeneralAnother Nice one Pin
Kunal Chowdhury «IN»21-May-10 18:39
professionalKunal Chowdhury «IN»21-May-10 18:39 
GeneralNice...I was struggling with Wshttp Security , you saved my night Pin
jaswinderkil21-May-10 5:09
jaswinderkil21-May-10 5:09 
GeneralNice! Pin
Marcelo Ricardo de Oliveira21-May-10 4:17
Marcelo Ricardo de Oliveira21-May-10 4:17 
GeneralAnother useful one Pin
Rajesh Pillai21-May-10 4:03
Rajesh Pillai21-May-10 4:03 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.