1

We have Windows Service with tcp binding. It has a transport security mode and client credential type is Windows. Service is within a domain.

Now we want to make calls to this service from the ASP.NET application running on IIS which is not part of the domain. We don't need user impersonation. What is the most secure way to enable this sort of communication?

This is a pretty standard situation: Web server is in DMZ and I would like to know how to set a secure communication with WCF backend services.

Improve this question
1
  • You could also consider using federated security, but that's a whole new world of pain you'd be signing yourself up for. If you would use federated security outside this single application, then it might be worth it, but otherwise I'd go with 2 different endpoints like Ladislav recommended below. Commented Jul 18, 2011 at 14:53

1 Answer 1

Reset to default
2

I expect that it will not work. You cannot use Windows client credential type if you want to consume the service outside of your domain. You must use Certificate (or None but it means no authentication).

The difference is that Windows client credentials will create stream secured with SSPI whereas Certificate and None client credentials will create stream secured with SSL certificate. In case of Certificate client credentials each client will be identified by its own certificate (= you need one for your IIS server).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Ladislav, do you know if service could combine these two methods? say if caller IP is IIS then apply certificate authentication, otherwise windows.
I believe it should simply work with exposing two different endpoints - each with its own net.tcp configuration.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.