Tallan Blog

Tallan’s Experts Share Their Knowledge on Technology, Trends and Solutions to Business Challenges

WCF Security Part 1

A few months ago I was given the task of setting up security for some WCF services we had created. After a couple days of scouring the internet for ideas and solutions, I ended up purchasing a book on WCF. Although there is a lot of information on the web about WCF and what security methods are available to us as developers, the information was always incomplete, and connecting the dots wasn’t the easiest. The example below shows how we can setup message based WCF security for a service which will be accessed over the internet, although the same code could be used for an intranet application as well. The example will require both user authentication and an x509 certificate.

For our WCF service, we’re using the wsHttpBinding. This binding provides much of the same functionality as a basic web service, with added service features such as reliable messaging, WS-Addressing, and WS-Security. Since this post is mainly on setting up security for a WCF service, I won’t go into too many details of the other features of wsHttpBinding.

After creating the WCF service, open up the web.config file for the WCF Service Application project. After scrolling down for a long time, you should come across a System.serviceModel tag. This tag contains all of the configuration settings for the WCF services contained in this project. Here’s what you should be looking at now:




<!– Service Endpoints –>



Upon deployment, the following identity element should be removed or replaced to reflect the

identity under which the deployed service runs.If removed, WCF will infer an appropriate identity













<!– To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment –>


<!– To receive exception details in faults for debugging purposes, set the value below to true.Set to false before deployment to avoid disclosing exception information –>






By default, a WCF service will use the wsHttpBinding, this is what we want to continue using. We need to make a few modifications to this web.config in order to provide the additional functionality we want. First take a look at the serviceBehaviors section. By default we already have a behavior for our Service1. Here is an example of a modified behavior:

<behavior name=”WcfService1.Service1Behavior>



storeName=”Myx509FindType=FindBySubjectDistinguishedName />




There is a lot of info in this behavior pertaining to security. The first bit describes the x509 certificate we would like to use that is already installed on our machine. We can create our own test x509 certificate for development purposes if need be. We can also describe the user authentication mode, in this case we are just using Windows authentication.

The next section extends the wsHttpBinding to provide some additional features not turned on be default:





<messageclientCredentialType=”UserName />





Here we can describe the transport type, as well as the client credential type. This is fairly simple, we are using Message based transport with UserName security.

Finally we need to tie these sections together with Service1:

<service behaviorConfiguration=”WcfService1.Service1Behaviorname=WcfService1.Service1Behavior>




<dnsvalue=”ServiceCertficate />



<endpointaddress=”mexbinding=mexHttpBindingcontract=IMetadataExchange />


The only changes we made here are in the bindingConfiguration property and the dns value. The bindingConfiguration allows you to bind our binding configuration to this service, and the dns value should match the x509 certificate name.

I’ll be posting some more on this topic, including writing your own custom username validation code for WCF, and creating your own test x509 certificate. Hope this helps!


Share this post:

1 Comment. Leave new

Praveen Srivastava
June 17, 2010 2:02 pm

Your post is good. But right now i m in trouble. I am a beginner for wcf.
I want to know with a sample that how can we manage user security with returned token.
Give an small example step by step.
Please help me out.

Thanks previously…..

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>