You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This topic describes the fundamental programming tasks used to create a secure Windows Communication Foundation (WCF) application. This topic covers only authentication, confidentiality, and integrity, collectively known as *transfer security*. This topic does not cover authorization (the control of access to resources or services); for information on authorization, see [Authorization](../../../../docs/framework/wcf/feature-details/authorization-in-wcf.md).
13
13
14
14
> [!NOTE]
15
-
> For a valuable introduction to security concepts, especially in regard to WCF, see the set of patterns and practices tutorials on MSDN at [Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0](https://go.microsoft.com/fwlink/?LinkID=88250).
15
+
> For a valuable introduction to security concepts, especially in regard to WCF, see the set of patterns and practices tutorials on MSDN at [Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0](https://docs.microsoft.com/previous-versions/msp-n-p/ff648183(v=pandp.10)).
16
16
17
17
Programming WCF security is based on three steps setting the following: the security mode, a client credential type, and the credential values. You can perform these steps either through code or configuration.
A feature of Windows Communication Foundation (WCF) is the ability to establish secure sessions between two endpoints that authenticate each other and agree upon an encryption and digital signature process. For example, the service endpoint might require a client endpoint to send a security token based upon an X.509 certificate for authentication. Once the client is authenticated, the service endpoint returns a security context token (SCT) back to the client that is then used to secure all subsequent messages within the session. Establishing this secure session enables the set of messages that are exchanged between the two endpoints to be more efficient, because the SCT has a symmetric key. Asymmetric keys, which X.509 certificates are based upon, require significantly more computational power than symmetric keys when generating a digital signature or encrypting a set of data.
8
8
9
-
The bootstrap policy (defined in section 6.2.7 of the [WS-SecurityPolicy](https://go.microsoft.com/fwlink/?LinkId=99817) standard) contains the message security assertions used to secure the channel and authenticate the client prior to the RST/SCT and RSTR/SCT exchange. Certain WCF standard bindings have a `Security.Message.EstablishSecurityContext` property which controls whether secure conversation is used. When using custom bindings the bootstrap is indicated by nesting security binding elements, either through [\<secureConversationBootstrap>](../../../../docs/framework/configure-apps/file-schema/wcf/secureconversationbootstrap.md) in the configuration file, or by calling <xref:System.ServiceModel.Channels.SecurityBindingElement.CreateSecureConversationBindingElement%2A> in code.
9
+
The bootstrap policy (defined in section 6.2.7 of the [WS-SecurityPolicy](https://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html) standard) contains the message security assertions used to secure the channel and authenticate the client prior to the RST/SCT and RSTR/SCT exchange. Certain WCF standard bindings have a `Security.Message.EstablishSecurityContext` property which controls whether secure conversation is used. When using custom bindings the bootstrap is indicated by nesting security binding elements, either through [\<secureConversationBootstrap>](../../../../docs/framework/configure-apps/file-schema/wcf/secureconversationbootstrap.md) in the configuration file, or by calling <xref:System.ServiceModel.Channels.SecurityBindingElement.CreateSecureConversationBindingElement%2A> in code.
10
10
11
11
For more information about sessions, see [Using Sessions](../../../../docs/framework/wcf/using-sessions.md).
Copy file name to clipboardExpand all lines: docs/framework/wcf/feature-details/securing-messages-using-message-security.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,7 +35,7 @@ This section discusses WCF message security when using <xref:System.ServiceModel
35
35
36
36
Given the disconnected nature of queues, the client and the service may not be online at the same time. As such, the client and service have to exchange certificates out-of-band. In particular, the client, by virtue of holding the service's certificate (which can be chained to a certification authority) in its trusted store, must trust that it is communicating with the correct service. For authenticating the client, the service uses the X.509 certificate attached with the message to matches it with the certificate in its store to verify the authenticity of the client. Again, the certificate must be chained to a certification authority.
37
37
38
-
On a computer running Windows, certificates are held in several kinds of stores. For more information about the different stores, see [Certificate stores](https://go.microsoft.com/fwlink/?LinkId=87787).
38
+
On a computer running Windows, certificates are held in several kinds of stores. For more information about the different stores, see [Certificate stores](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc757138(v=ws.10)).
39
39
40
40
### Windows
41
41
Windows message credential type uses the Kerberos protocol.
Copy file name to clipboardExpand all lines: docs/framework/wcf/feature-details/security-behaviors-in-wcf.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -112,7 +112,7 @@ In Windows Communication Foundation (WCF), behaviors modify run-time behavior at
112
112
Set the certificate used to authenticate the client with this element. For more information, see [How to: Specify Client Credential Values](../../../../docs/framework/wcf/how-to-specify-client-credential-values.md).
113
113
114
114
#### \<httpDigest>
115
-
This feature must be enabled with Active Directory on Windows and Internet Information Services (IIS). For more information, see [Digest Authentication in IIS 6.0](https://go.microsoft.com/fwlink/?LinkId=88443).
115
+
This feature must be enabled with Active Directory on Windows and Internet Information Services (IIS). For more information, see [Digest Authentication in IIS 6.0](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc782661(v=ws.10)).
116
116
117
117
#### \<issuedToken> Element
118
118
The [\<issuedToken>](../../../../docs/framework/configure-apps/file-schema/wcf/issuedtoken.md) contains the elements used to configure a local issuer of tokens, or behaviors used with an security token service. For instructions on configuring a client to use a local issuer, see [How to: Configure a Local Issuer](../../../../docs/framework/wcf/feature-details/how-to-configure-a-local-issuer.md).
@@ -214,4 +214,4 @@ In Windows Communication Foundation (WCF), behaviors modify run-time behavior at
Copy file name to clipboardExpand all lines: docs/framework/wcf/feature-details/security-concepts-used-in-wcf.md
+7-5Lines changed: 7 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,18 +9,20 @@ Windows Communication Foundation (WCF) security is built upon concepts already i
9
9
WCF supports some of those infrastructures, such as Secure Sockets Layer (SSL) over HTTP (HTTPS). However, WCF goes beyond supporting existing security infrastructures by implementing newer interoperable security standards (such as WS-Security) over SOAP-encoded messages. Whether you are using existing mechanisms or new interoperable standards, the security concepts behind both are the same. Understanding the concepts behind existing infrastructures and the newer standards is central to implementing the best security model for an application.
10
10
11
11
## Introduction to Security for WCF Web Services
12
-
The Microsoft Patterns and Practices group wrote an in-depth white paper on WCF security guidance which is available for download here: [WCF Security Guide](https://go.microsoft.com/fwlink/?LinkId=210210). This white paper describes the fundamental security concepts as they relate to web services, key WCF security concepts, intranet application scenarios, and internet application scenarios.
12
+
13
+
The Microsoft Patterns and Practices group wrote an in-depth white paper called [WCF Security Guide](https://archive.codeplex.com/?p=wcfsecurityguide). This white paper describes the fundamental security concepts as they relate to web services, key WCF security concepts, intranet application scenarios, and internet application scenarios.
13
14
14
15
## Industry-Wide Security Specifications
15
16
16
17
### Public Key Infrastructure
17
-
Public Key Infrastructure (PKI) is a system of digital certificates, certification authorities, and other registration authorities that verify and authenticate each party involved in an electronic transaction through the use of public key cryptography. For more information, see [Windows Server 2008 R2 Certificate Services](https://go.microsoft.com/fwlink/?LinkId=210211).
18
+
19
+
Public Key Infrastructure (PKI) is a system of digital certificates, certification authorities, and other registration authorities that verify and authenticate each party involved in an electronic transaction through the use of public-key cryptography.
18
20
19
21
### Kerberos Protocol
20
-
The *Kerberos protocol* is a specification for creating a security mechanism that authenticates users on a Windows domain. It allows a user to establish a secure context with other entities within a domain. Windows 2000 and later platforms use the Kerberos protocol by default. Understanding the mechanisms of the system is useful when creating a service that will interact with intranet clients. In addition, since the *Web Services Security Kerberos Binding* is widely published, you can use the Kerberos protocol to communicate with Internet clients (that is, the Kerberos protocol is interoperable). For more information about how the Kerberos protocol is implemented in Windows, see [Microsoft Kerberos](https://go.microsoft.com/fwlink/?LinkId=210212).
22
+
The *Kerberos protocol* is a specification for creating a security mechanism that authenticates users on a Windows domain. It allows a user to establish a secure context with other entities within a domain. Windows 2000 and later platforms use the Kerberos protocol by default. Understanding the mechanisms of the system is useful when creating a service that will interact with intranet clients. In addition, since the *Web Services Security Kerberos Binding* is widely published, you can use the Kerberos protocol to communicate with Internet clients (that is, the Kerberos protocol is interoperable). For more information about how the Kerberos protocol is implemented in Windows, see [Microsoft Kerberos](/windows/win32/secauthn/microsoft-kerberos).
21
23
22
24
### X.509 Certificates
23
-
X.509 certificates are a primary credential form used in security applications. For more information on X.509 certificates see [X.509 Public Key Certificates](https://go.microsoft.com/fwlink/?LinkId=210213). X.509 certificates are stored within a certificate store. A computer running Windows has several kinds of certificate stores, each with a different purpose. For more information about the different stores, see [Certificate Stores](https://go.microsoft.com/fwlink/?LinkID=87787).
25
+
X.509 certificates are a primary credential form used in security applications. For more information on X.509 certificates see [X.509 Public Key Certificates](/windows/win32/seccertenroll/about-x-509-public-key-certificates). X.509 certificates are stored within a certificate store. A computer running Windows has several kinds of certificate stores, each with a different purpose. For more information about the different stores, see [Certificate Stores](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc757138(v=ws.10)).
24
26
25
27
## Web Services Security Specifications
26
28
The system-defined bindings support many commonly used web services security specifications. For a complete list of system-provided bindings and the web services specifications they support see: [Web Services Protocols Supported by System-Provided Interoperability Bindings](../../../../docs/framework/wcf/feature-details/web-services-protocols-supported-by-system-provided-interoperability-bindings.md)
@@ -43,4 +45,4 @@ Windows Communication Foundation (WCF) security is built upon concepts already i
Copy file name to clipboardExpand all lines: docs/framework/wcf/feature-details/security-guidance-and-best-practices.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,8 @@ helpviewer_keywords:
6
6
ms.assetid: 79e4e6f7-0c00-4045-b0f0-e6a7c37c7788
7
7
---
8
8
# Security Guidance and Best Practices
9
-
The topics in this section present guidance for and items to consider when creating secure Windows Communication Foundation (WCF) applications. For more information about Windows Server AppFabric and security see, [Security Model for Windows Server App Fabric](https://go.microsoft.com/fwlink/?LinkID=201279&clcid=0x409)
9
+
10
+
The articles in this section present guidance for and items to consider when creating secure Windows Communication Foundation (WCF) applications. For more information about Windows Server AppFabric and security, see [Security Model for Windows Server App Fabric](https://docs.microsoft.com/previous-versions/appfabric/ee677202(v=azure.10))
10
11
11
12
## In this Section
12
13
[Best Practices for Security](../../../../docs/framework/wcf/feature-details/best-practices-for-security-in-wcf.md)
@@ -21,4 +22,4 @@ The topics in this section present guidance for and items to consider when creat
Windows Communication Foundation (WCF) is a SOAP message-based distributed programming platform, and securing messages between clients and services is essential to protecting data. WCF provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages.
12
12
13
13
> [!NOTE]
14
-
> For a comprehensive guide to WCF security, see [WCF Security Guidance](https://go.microsoft.com/fwlink/?LinkID=158912).
14
+
> For a comprehensive guide to WCF security, see [WCF Security Guidance](https://archive.codeplex.com/?p=WCFSecurity).
15
15
16
16
WCF uses concepts that are familiar if you have built secure, distributed applications with existing technologies such as HTTPS, Windows integrated security, or user names and passwords to authenticate users. WCF not only integrates with existing security infrastructures, but also extends distributed security beyond Windows-only domains by using secure SOAP messages. Consider WCF an implementation of existing security mechanisms with the major advantage of using SOAP as the protocol in addition to existing protocols. For example, credentials that identify a client or a service, such as user name and password or X.509 certificates, have interoperable XML-based SOAP profiles. Using these profiles, messages are exchanged securely by taking advantage of open specifications like XML digital signatures and XML encryption. For a list of specifications, see [Web Services Protocols Supported by System-Provided Interoperability Bindings](../../../../docs/framework/wcf/feature-details/web-services-protocols-supported-by-system-provided-interoperability-bindings.md).
17
17
@@ -108,4 +108,4 @@ Windows Communication Foundation (WCF) is a SOAP message-based distributed progr
0 commit comments