Am I correct in understanding that a WCF Service could be setup with "Transport Security", + "Certificate Authentication" and without a "Client Certificate" installed client side?
My scenario would be:
- WCF Services on Remote Server
- Windows Forms Client shipped potentially to hundreds of users (authenticates users (against DB) and performs actions over WCF service methods)
I want my messages encrypted over SSL, that is why I have selected the "Transport" method and I believe why I also need the server certificate.
I have followed a walkthrough which gave me all of the above but included necessity of having a client certificate installed? If I am shipping this windows forms app to clients, how could they install the certificate if I was forced to require this? It really seems like I'm missing a big point here as I would think installing a certificate to a users machine would be quite a big ask.
PS. Potentially from what I am reading here, am I over-complicating my task at hand? Do I just need an SSL certificate installed into our web server and simply access the WCF service via HTTPS and possibly be able to just use basicHttpBinding? Effectively not needing to worry about 'certificate authentication' mechanisms?
Best Answer
You don't need a client certificate, it's simply ssl. If you're using IIS to host the service, this is a no brainer, just install the cert. Message level security get's a little bit more tricky but you should be okay on the ssl cert.
If you use basicHttpBinding you won't need to shutoff authentication, by default WSHttpBinding turns on message level authentication, which you can shut off in the web config by setting Authentication mode (I believe) to none. Go with basic if you just need ssl. If you want ssl and perhaps Windows Authentication, then go with WSHttpBinding.