Ok… I said it. Let’s just admit the truth for a second. It is hard. Recently somebody contacted me about a security problem and asked for me help. I’m probably the wrong guy to ask. After all, I’m an evangelist. That means I create demos, labs etc. none of which use security (typically). What that means is that while I know a great deal about some aspects of WCF when it comes to security I actually don’t know much. I know, I know… it’s embarrassing.
My new years resolution for 2010 is to write some articles, samples and create some videos to help you deal with security. After all it is vital that we help you to get this right. I’m tired of waiting for somebody else to fix this.
[edit: 12/4] By this comment I don’t mean to say that all evangelists are less technically competent that any other programmer. I work with some very smart guys who are great developers. I only meant to imply that we tend to learn things that our work requires and mine doesn’t require security very often
Here is the first security spike. I’m going to create a WCF service hosted in IIS. The service will use wsHttpBinding and Windows Credentials. The goal is to restrict access by role as defined by group membership in active directory. This should be a no-brainer right?
Yesterday I searched around looking for resources to help. I didn’t find much. Most things I found showed how to secure self-hosted WCF services with console apps. The security picture with an IIS hosted service is significantly more complex. You have IIS settings to deal with, plus ASP.NET stuff in web.config and then the myriad of WCF security settings and options.
I have often referred people to the WCF Security Guide from patterns and practices which is good but even after reading it I found myself confused.
My first attempt yesterday was to create a service hosted in IIS and then to use netTcpBinding as recommended by the WCF Security Guide to access it. I didn’t get very far. Once I hosted the service in IIS I was not able to access it with the netTcpBinding from the client. I kept getting one of those “machine actively refused the connection” messages.
Today I’m going to go with the wsHttpBinding so I can simplify things a bit. I’ll let you know how it goes.
Make sure your firewall is open on both ends if you are using netTcpBinding :)
Wait until you get to X.509 certs, etc. You'll be tearing your hair out :)
Adwait: X.509 certificates had me wondering whether Microsoft have a profit-sharing agreement with Verisign etc., or if they just really, really hate us.
And then I decided I was just being paranoid.
And *then* I started wondering if Microsoft deliberately made me paranoid because they hate me...
WCF security is hard ... Only if you are an evangelist! "Better to be lucky than good"?