J.D. Meier's Blog : WCF

New Release: patterns & practices WCF Security Guide

J.D. Meier — Wed, 11 Feb 2009 07:47:07 GMT

Today we released our patterns & practices Improving Web Service security: Scenarios and Implementation Guidance for WCF on MSDN. Using end-to-end application scenarios, this guide shows you how to design and implement authentication and authorization in WCF. You'll learn how to improve the security of your WCF services through prescriptive guidance including guidelines, a Q&A, practices at a glance, and step-by-step how to articles. The guide is the result of a collaborative effort between patterns & practices, WCF team members, and industry experts.

Download the patterns & practices WCF Security guide (CodePlex)
Read the patterns & practices WCF Security Guide online (MSDN)

Key Scenarios
Here's the key scenarios:

A development team that wants to adopt WCF.
A software architect or developer looking to get the most out of WCF, with regard to designing their application security.
Interested parties investigating the use of WCF but don’t know how well it would work for their deployment scenarios and constraints.
Individuals tasked with learning WCF security.
Authentication, authorization, and communication design for your services
Solution patterns for common distributed application scenarios using WCF
Principles, patterns, and practices for improving key security aspects in services

Contents at a Glance

Part I: Security Fundamentals for Web Services
Part II: Fundamentals of WCF Security
Part III: Intranet Application Scenarios
Part IV: Internet Application Scenarios

Chapters

Foreword by Nicholas Allen
Foreword by Rockford Lhotka
Chapter 1: Security Fundamentals for Web Services
Chapter 2: Threats and Countermeasures for Web Services
Chapter 3: Security Design Guidelines for Web Services
Chapter 4: WCF Security Fundamentals
Chapter 5: Authentication, Authorization, and Identities in WCF
Chapter 6: Impersonation and Delegation in WCF
Chapter 7: Message and Transport Security
Chapter 8: Bindings
Chapter 9: Intranet - Web to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 10: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Chapter 11: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Chapter 12: Intranet - Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 13: Internet - WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Chapter 14: Internet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Chapter 15: Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Our Team

J.D. Meier
Carlos Farre
Jason Taylor
Prashant Bansode
Steve Gregersen
Madhu Sundararajan
Rob Boucher

Contributors / Reviewers

External Contributors / Reviewers: Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Leroux Bustamante; Parameswaran Vaideeswaran; Rockford Lhotka; Rudolph Araujo; Santosh Bejugam
Microsoft Contributors / Reviewers: Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

WCF Security Guide is Now Available in HTML

J.D. Meier — Thu, 19 Jun 2008 05:07:00 GMT

Our guide, patterns & practices Improving Web Services Security:Scenarios and Implementation Guidance for WCF is now available in HTML.

New Release: patterns & practices WCF Security Guide (BETA)

J.D. Meier — Wed, 04 Jun 2008 23:01:12 GMT

Today we released our WCF Security guide, patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF. This is our Microsoft playbook for Windows Communication Foundation (WCF - "Indigo".) It shows you how to build secure Web services using WCF. It's a compendium of proven practices, product team recommendations and insights from the field.

Download the guide

Download the Guide

Contents at a Glance

Part I, "Security Fundamentals for Web Services"
Part II, "Fundamentals of WCF Security"
Part III, "Intranet Application Scenarios"
Part IV, "Internet Application Scenarios"

Chapters

Ch 01 - Security Fundamentals for Web Services
Ch 02 - Threats and Countermeasures for Web Services
Ch 03 - Security Design Guidelines for Web Services
Ch 04 - WCF Security Fundamentals
Ch 05 - Authentication, Authorization and Identities in WCF
Ch 06 - Impersonation and Delegation in WCF
Ch 07 - Message and Transport Security in WCF
Ch 08 - WCF Bindings Fundamentals
Ch 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)
Ch 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)
Ch 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)
Ch 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Ch 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Ch 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Reference

WCF Security Checklist
WCF Security Guidelines
WCF Security Practices at a Glance
WCF Questions and Answers (Q&A)
How Tos
WCF Security Resources

Contributors and Reviewers

External: Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Bustamante; Parameswaran Vaideeswaran; Rockford Lotka; Rudolph Araujo; Santosh Bejugam
Microsoft: Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Don Smith; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

WCF Security Resources

J.D. Meier — Fri, 23 May 2008 20:45:09 GMT

If you're building Web services or if you're implementing SOA on the Microsoft platform , then you're probably either working with or exploring WCF (Windows Communication Foundation.) When we started our patterns & practices WCF Security Guidance project, one of the first things I did was compile a list of WCF security resources for our team. This helped us quickly ramp up and as well as see gaps. One thing that surprised me is how much is available in the product documentation, if you know where to look. Here's a preliminary look at our WCF Security resources index which we'll include in our WCF Security Guide:

Getting Started

Community

Articles

Microsoft

Community

Blogs

Microsoft

Community

Channel9

Podcasts

ARCast.TV

ARCast.TV - WCF Session Behavior from Slovenia

Videos

Vittorio Bertocci: WS-Trust - Under the Hood

patterns & practices WCF Security Practices at a Glance Now Available

J.D. Meier — Fri, 09 May 2008 23:53:27 GMT

For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF Security Practices at a Glance. Practices At a Glance gives you a bird's-eye view of how to perform common tasks. They are scannable and outcome-driven so that you can quickly browse the problem/solution pairs. Rather than a laundry list of granular tasks, we organize them by our Web Services Security frame (still evolving.)

Categories
Here's how we grouped our WCF Security Practices at a Glance so far:

Auditing and Logging
Authentication
Authorization
Configuration Management
Deployment Considerations
Exception Management
Hosting
Impersonation/Delegation
Input Validation
Message Security
Proxy Considerations
Sensitive Data
Transport Security

Here's a snapshot of the problems solved from our Practices At a Glance, but you can see our answers explained at our WCF Security Guidance project site.

Auditing and Logging

How to audit authentication events
How to audit authorization events
How to enable WCF message logging
How to enable WCF tracing
How to use Health Monitoring in WCF
How to view log information
How to view trace information
How to log traces to a WMI provider
How to turn off audit failure suppression

Authentication

How to authenticate users against the SQL Membership Provider
How to authenticate users against Active Directory
How to authenticate users against Active Directory without windows authentication
How to authenticate users with certificates
How to map certificates with windows accounts
How to authenticate users against a custom user store
How to authenticate users with Kerberos direct to support non-WCF clients with windows authentication

Authorization

How to authorize imperatively
How to authorize declaratively
How to authorize users against Windows groups
How to authorize users against Windows groups using the AspNetWindowsTokenRoleProvider
How to authorize users against the SQL Role Provider
How to authorize users against the ASP.Net Role Provider
How to assign the current principal with IAuthorizationPolicy to allow authorization using custom authentication

Configuration Management

How to encrypt sensitive data in your configuration files
How to run your service under a specific identity
How to create a service account for your WCF service
How to stop clients from referencing your service
How to protect against message replay attacks

Deployment Considerations

How to configure certificates to enable SSL in IIS
How to map Windows accounts with certificates
How to create a Service Principle Name (SPN)
How to configure WCF for NATs and Firewalls
How to create an X.509 certificate

Exception Management

How to shield exception information with fault contracts
How to create an error handler to log details of faults for auditing purposes
How to handle unhandled exceptions in downstream services
How to throw an exception with complex types or data contracts with a fault exception
How to handle unknown faults in a service
How to implement a data contract to propagate exception details for debugging purposes
How to implement fault contracts in call back functions

Hosting

How to host WCF in IIS
How to host WCF in a Windows service
How to self-host WCF
How to configure a least-privilege account to host your service

Impersonation/Delegation

How to choose between trusted subsystem and impersonation/delegation
How to impersonate the original caller when using Windows authentication
How to impersonate programmatically in WCF
How to impersonate declaratively in WCF
How to delegate the original caller to call backend services when using Windows authentication
How to impersonate the original caller without Windows authentication
How to impersonate the original caller using S4U Kerberos extensions.
How to delegate the original caller using S4U Kerberos extensions.
How to impersonate and delegate using LogonUser Windows API
How to flow the original caller from an ASP.NET client to WCF
How to control access to a remote resource based on the original callers identity.

Input Validation

How to protect your service from malicious messages
How to protect your service from malicious input
How to protect your service from denial of service attacks
How to validate parameters with parameter inspectors
How to validate parameters with message inspectors using schemas
How to validate data contracts with message inspectors using schemas
How to validate message contracts with message inspectors using schemas
How to use regular expressions validate format, range and length in schemas
How to validate inbound messages on a service
How to validate outbound messages on a service
How to validate outbound messages on the client
How to validate inbound messages on the client
How to validate input parameters
How to validate output parameters

Message Security

How to use message security
How to partially encrypt a message
How to use out-of-band credentials with message security

Proxy Considerations

How to avoid proxy spoofing
How to expose service metadata for your clients
How to create a proxy to a service hosted in IIS that requires certificate authentication and transport security

Sensitive Data

How to encrypt sensitive data in configuration files
How to protect sensitive data in memory
How to protect sensitive data on the network

Transport Security

How to use transport security
How to use secure conversations in WCF

X.509 Certificates

How to create a temporary X.509 certificate for transport security
How to create a temporary X.509 certificate for message security
How to create a temporary X.509 certificate for certificate authentication

My Related Posts

6 New patterns & practices WCF Security How Tos

J.D. Meier — Thu, 01 May 2008 23:12:44 GMT

We have 6 new How Tos for this week's release of our patterns & practices WCF Security Guidance Project.

WCF Security How Tos

My Related Posts

patterns & practices WCF Security Questions and Answers Now Available

J.D. Meier — Fri, 25 Apr 2008 05:13:59 GMT

What are your key security-related questions with WCF? More importantly, what are the answers? For this week's release of our WCF Security Guidance Project, we posted our WCF Security Q&A (Questions and Answers) to CodePlex.

To create the questions and answers set, we first gathered and organized recurring questions from our field, support, customers and forums. We then worked through to create precise answers. What you get is a browsable collection of questions and answers, organized by our security frame. The security frame maps to actionable categories of your application.

Here's a snapshot of the questions from our Q&A, but you can see our answers explained at our WCF Security Guidance project site.

Design Considerations

How do I decide on an authentication strategy?
How do I decide on an authorization strategy?
When should I use message security vs. transport security?
How do I use my existing Active Directory infrastructure?
What bindings should I use over the Internet?
What bindings should I use over the Intranet?
When should I use resource-based authorization vs. roles-based authorization?
When should I impersonate the original caller?
When should I flow the original caller’s identity to back-end resources?
How do I migrate to WCF from an ASMX web service?
How do I migrate to WCF from a COM application?
How do I migrate to WCF from a DCOM application?
How do I migrate to WCF from a WSE application?

Auditing and Logging

What WCF Service security events should be logged?
How do I enable logging and auditing in WCF?
How do I enable auditing in WCF?
How do I stop my service if there has been an auditing failure?
How do I log important business events in WCF?
How do I implement log throttling in WCF?
How do I use Health Monitoring Feature with WCF?
How do I protect my log files?
How to I pass user identity information in a message for auditing purpose?

Authentication

How do I decide on an authentication strategy in WCF?
When should I use brokered authentication?
When should I use the SQL Server Membership provider?
How do I authenticate against Active Directory?
How do I authenticate against a SQL store?
How do I authenticate against a custom store?
How do I protect passwords in my user store?
How do I use certificate authentication with X.509 certificates?
What is the most common authentication scenario for intranet applications?
What is the most common authentication scenario for internet applications?
How do I support authentication for multiple client types?
What is federated security?
How do I send credentials in the message when I am using transport security?
How do I avoid cleartext passwords?

Authorization

How do I decide on an authorization strategy in WCF?
What’s the difference between resource-based, roles-based and claims-based authorization?
How do I use Windows groups for role authorization in WCF?
How do I use the SQL Role provider for ASPNET role authorization in WCF?
How do I use the Windows Token role provider for ASPNET role authorization in WCF?
How do I use the Authorization Store role provider for ASPNET role authorization in WCF?
What’s the difference between declarative and imperative roles authorization?
How do I restrict access to WCF operations to specific Windows users?
How do I associate roles with a certificate?
What is a service principle name (SPN)?
How do I create a service principle name (SPN)?

Bindings

What is a binding?
What bindings are available?
Which bindings are best suited for the Internet?
Which bindings are best suited for the Intranet?
How do I choose an appropriate binding?
Configuration Management
How do I encrypt sensitive data in WCF configuration file?
How do I run a WCF Service with a particular identity?
How do I create a service account for running my WCF Service?
When should I use a configuration file versus the WCF object model?
What is a metadata exchange (MEX) binding?
How do I keep clients from referencing my service?

Exception Management

How do I implement a global exception handler?
What is a fault contract?
How do I define a fault contract?
How do I avoid sending exception details to the client?

Hosting

How do I configure a least privileged account to host my service?
When should I host my service in IIS?
When should I host my service in a Windows service?
When should I self-host my service?
Impersonation/Delegation
What are my impersonation options?
What is the difference between impersonation and delegation?
How do I impersonate the original caller for an operation call?
How do I temporarily impersonate the original caller in an operation call?
How do I impersonate a specific (fixed) identity?
What is constrained delegation?
What is protocol transition?
How do I flow original caller from ASP.NET client to WCF Service?
What is the difference between declarative and programmatic impersonation?
What is the trusted subsystem model?
When should I flow the original caller to back-end code?
How do I control access to a remote resource based on the original caller’s identity?

Input/Data Validation

How do I implement input and data validation in WCF?
What is schema validation?
What is parameter validation?
Should I validate before or after message serialization?
How do I protect my service from denial of service attacks?
How do I protect my service from malicious input attacks?
How do I protect my service from malformed messages?
Message Protection
When should I use message security?
When should I use transport security?
How do I protect my message when there are intermediaries routing my message?
How do I protect my message when there are multiple protocols used during message
transit?
How do I implement partial message encryption?

Proxy Considerations

When should I use a channel factory?
When do I need to expose a metadata exchange endpoint for my service?
How do I avoid proxy spoofing?

Sensitive Data

How do I protect sensitive data in configuration files?
How do I protect sensitive data in memory?
How do I protect my metadata?
How do I protect sensitive data from being read on the wire?
How do I protect sensitive data from being tampered with on the wire?
How do I authenticate a message was sent by the expected sender?
How do I encrypt data within my message?

X.509 Certificates

How do I create X.509 certificates?
Do I need to create a certificate signed by the root CA certificate?
How do I use X.509 certificate revocation?
How do I authenticate users with X.509 certificates, and then perform role-based access control using an Active Directory domain?

Deployment Considerations

What are the additional considerations for using WCF in a webfarm?
How do I configure WCF for NATs and Firewalls?
How do I configure Active Directory groups and accounts for role-based authorization checks?
How do I create an X.509 certificate?
When should I use a Service Principle Name (SPN)?
How do I configure a least privileged account for my service?

My Related Posts

patterns & practices WCF 3.5 Security Guidelines Now Available

J.D. Meier — Thu, 17 Apr 2008 18:38:33 GMT

For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF 3.5 Security Guidelines. Each guideline is a nugget of what to do, why, and how. The goal of the guideline format is to take a lot of information, compress it down, and turn insight into action.

The downside is that it's tough to create prescriptive guidelines that are generic enough to be reusable, but specific enough to be helpful. The upside is that customers find the guidelines help them cut through a lot of information and take action. We contextualize the guidelines as much as we can, but ultimately you're in the best position to do the pattern matching to find which guidelines are relevant for your scenarios, and how you need to tailor them.

Here's a snapshot of the guidelines, but you can see our security guidelines explained at our WCF Security Guidance project site.

Categories
Our WCF Security guidelines are organized using the following buckets:

Auditing and Logging
Authentication
Authorization
Binding
Configuration Management
Exception Management
Hosting
Impersonation and Delegation
Input/Data Validation
Proxy Considerations
Deployment considerations

Auditing and Logging

Use WCF auditing to audit your service
If non-repudiation is important, consider setting SuppressAuditFailure property to false
Use message logging to log operations on your service
Instrument for user management events
Instrument for significant business operations
Protect log files from unauthorized access
Do not log sensitive information

Authentication

Know your authentication options
Use Windows Authentication when you can
If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option
If your users are in AD, but you can’t use windows authentication, consider using username authentication
If your clients have certificates, consider using client certificate authentication
If you need to streamline certificate distribution to your clients for message encryption, consider using the negotiate credentials option
If your users are in a custom store, consider using username authentication with a custom validator
If your users are in a SQL membership store, use the SQL Membership Provider
If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
If you are using username authentication, use SQL Server Membership Provider instead of custom authentication
If you need to support intermediaries and a variety of transports between client and service, use message security to protect credentials
If you are using username authentication, validate user login information
Do not store passwords directly in the user store
Enforce strong passwords
Protect access to your credential store
If you are using Windows Forms to connect to WCF, do not cache credentials

Authorization

If you use ASP.NET roles, use the ASP.NET Role Provider
If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider
If you store role information in SQL, consider using the SQL Server Role Provider for roles authorization
If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization
If you need to authorize access to WCF operations, use declarative authorization
If you need to perform fine-grained authorization based on business logic, use imperative authorization

Binding

If you need to support clients over the internet, consider using wsHttpBinding.
If you need to expose your WCF service to legacy clients as an ASMX web service, use basicHttpBinding
If you need to support remote WCF clients within an intranet, consider using netTcpBinding.
If you need to support local WCF clients, consider using netNamedPipeBinding.
If you need to support disconnected queued calls, use netMsmqBinding.
If you need to support bidirectional communication between WCF Client and WCF service, use wsDualHttpBinding.

Configuration Management

Use Replay detection to protect against message replay attacks
If you host your service in a Windows service, expose a metadata exchange (mex) binding
If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex)
Manage bindings and endpoints in config not code
Associate names with the service configuration when you create service behavior, endpoint behavior, and binding configuration
Encrypt configuration sections that contain sensitive data

Exception Management

Use structured exception handling
Do not divulge exception details to clients in production
Use a fault contract to return error information to clients
Use a global exception handler to catch unhandled exceptions

Hosting

If you are hosting your service in a Windows Service, use a least privileged custom domain account
If you are hosting your service in IIS, use a least privileged service account
Use IIS to host your service unless you need to use a transport that IIS does not support

Impersonation and Delegation

Know the impersonation options
If you have to flow the original caller, use constrained delegation
Consider LogonUser when you need to impersonate but you don’t have trusted delegation
Consider S4U when you need a Windows token and you don’t have the original caller’s credentials
Use programmatic impersonation to impersonate based on business logic
When impersonating programmatically be sure to revert to original context
Only impersonate on operations that require it
Use OperationBehavior to impersonate declaratively

Input/Data Validation

If you need to validate parameters, use parameter inspectors
If your service has operations that accept message or data contracts, use schemas to validate your messages
If you need to do schema validation, use message inspectors
Validate operation parameters for length, range, format and type
Validate parameter input on the server
Validate service responses on the client
Do not rely on client-side validation
Avoid user-supplied file name and path input
Do not echo untrusted input

Proxy Considerations

Publish your metadata over HTTPS to protect your clients from proxy spoofing
If you turn off mutual authentication, be aware of service spoofing

Deployment considerations

Do not use temporary certificates in production
If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client.
If you are using a custom service account and need to use trusted for delegation, create an SPN
If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN
Use IIS to host your service unless you need to use a transport that IIS does not support
Use a least privileged account to run your WCF service
Protect sensitive data in your configuration files

My Related Posts

patterns & practices WCF Security Guidance: Updated Application Scenarios

J.D. Meier — Fri, 11 Apr 2008 06:32:00 GMT

For this week's release in our patterns & practices WCF Security Guidance project, we added new sections to our WCF Security Application Scenarios. We added sections for analysis, code and configuration examples. The analysis section explains the rationale behind some of the decisions.

The idea behind the application scenarios is to show you a before and after look of end-to-end solutions. Rather than a single solution, we give you a set of solutions to pick from. The main parameters that vary in each solution include: Intranet vs. Internet, ASP.NET client vs. Windows Forms clients, TCP vs. HTTP, impersonation/delegation vs. trusted subsystem, and AD (domain credentials) vs. a custom user store.

WCF Security Application Scenarios
Intranet

Internet

Note that if there's enough interest and time, we'll add a scenario that shows accessing an existing custom user store (i.e. you aren't using Membership.)

My Related Posts

patterns and practices WCF Security Application Scenarios

J.D. Meier — Fri, 04 Apr 2008 02:40:50 GMT

We published an updated set of our WCF Security application scenarios yesterday, as part of our patterns & practices WCF Security guidance project. Application Scenarios are visual "blueprints" of skeletal solutions for end-to-end deployment scenarios. Each application scenario includes a before and after look at working solutions. While you still need to prototype and test for your scenario, this gives you potential solutions and paths at a glance, rather than starting from scratch. It's a catalog of applications scenarios that you can look through and potentially find your match.

Intranet
Common Intranet patterns:

Internet
Common Internet patterns:

One Size Does Not Fit All
We know that one size doesn't fit all, so we create a collection of application scenarios that you can quickly sort through and pattern match against your scenario. It's like a visual menu at a restaurant. The goal is to find a good fit against your parameters versus a perfect fit. It gives you a baseline to start from. They effectively let you preview solutions, before embarking on your journey.

How We Make Application Scenarios
First, we start by gathering all the deployment scenarios we can find from customers with working solutions. We use our field, product support, product teams, subject matter experts, and customers. We also check with our internal line of business application solutions. While there's a lot of variations, we look for the common denominators. There's only so many ways to physically deploy servers, so we start there. We group potential solutions by big buckets.

In order to make the solutions meaningful, we pick a focus. For example, with WCF Security, key overarching decisions include authentication, authorization, and secure communication. These decisions span the layers and tiers. We also pay attention to factors that influence your decisions. For example, your role stores and user stores are a big factor. The tricky part is throwing out the details of customer specific solutions, while retaining the conceptual integrity that makes the solution useful.

Next, we create prototypes and we test the end-to-end scenarios in our lab. We do a lot of whiteboarding during this stage for candidate solutions. This is where we spend the bulk of our time, testing paths, finding surprises, and making things work. It's one thing to know what's supposed to work; it's another to make it work in practice.

From our working solution, we highlight the insights and actions within the Application Scenario so you can quickly prototype for your particular context. We then share our candidate guidance modules on CodePlex, while we continue reviews across our review loops including field, PSS, customers, product team members, and subject matter experts.

patterns and practices WCF Security Guidance Now Available

J.D. Meier — Thu, 27 Mar 2008 19:04:00 GMT

Our patterns & practices WCF Security Guidance Project is in progress on CodePlex. This is our first release of prescriptive guidance modules for WCF Security.

How Tos
Our How Tos give you step by step instructions for performing key tasks:

Videos
Our videos step you visually through key guidance:

About WCF
Windows Communication Foundation (WCF) is a service-oriented platform for building and consuming secure, reliable, and transacted services. It unifies the programming models for ASMX, Enterprise services and .NET Remoting. It supports multiple protocols including named pipes, TCP, HTTP, and MSMQ. WCF promotes loose coupling, supports interoperability, and encapsulates the latest web service standards. With WCF, you get flexibility in choosing protocol, message encoding formats, and hosting. For more information, see the MSDN WCF Developer Center.

About the Project
WCF provides a lot of options and flexibility. The goal of our patterns & practices WCF Security Guidance Project is to find the key combinations of security practices for WCF that work for customers and share them more broadly. At a high-level, you can think of the project in terms of these main buckets:

Application Scenarios - These are whiteboard solutions for common end-to-end application scenarios.
How Tos - These are step-by-step instructions for performing key end-to-end tasks.
Building Codes - These are our sets of rules and practices. This includes Guidelines, Checklists, and Practices at a Glance.
Reference - This includes Explained, Cheat Sheets, and Q&A guidance.

The plan is to incrementally share our guidance modules on CodePlex as we go, then build a guide, then port the guidance to MSDN once it's baked.

How To: Create a “Hello World” WCF Service Using Visual Studio

J.D. Meier — Mon, 15 Oct 2007 23:32:00 GMT

Here's a quick step through of using WCF in Visual Studio 2005. In this case I used a local machine, running Windows 2003, for the service and the client.

There's lot of possible paths, and this is just one path through. I focused on "Hello World" to run through the basic mechanics, but chose a path to touch enough things that might be interesting to explore another day.

Scenario
Use Visual Studio 2005 to do a dry run of creating a WCF service hosted in IIS and calling it from a console application on your local development workstation. (Note that you don't need to host WCF in IIS; for example, you could use a surrogate console application.)

Preparation
In my case, I needed the .NET 3.0 components and the WCF extensions for Visual Studio:
1. .NET 3.0 Runtime Components
2. WCF and WPF extensions for Visual studio

Summary of Steps

Step 1. Create the test service
Step 2. Add a Hello World Method
Step 3. Test your WCF service
Step 4. Enable meta-data for your WCF Service.
Step 5. Create the test client.
Step 6. Add a Web Services reference to your WCF Service.
Step 7. Add the namespace to your
Step 8. Call your WCF service

Step 1. Create the test service
In this step, we'll create a WCF service that uses HTTP bindings, for backward compatibility (non-.NET 3.0 clients)

In Visual Studio, click File -> New Web Site
Select WCF Service
Browse to a directory to store your project: (e.g. D:\Dev\WCF\Test1\Serve )
Enable wsHttpBinding. To do so, right-click Web.config and click Edit WCF Configuration ... Expand Services > expand MyService -> expand Endpoints. Click (Empty Name). Change wsHttpBinding to basicHttpBinding
Create the virtual directory. In your File Manager, right-click your Server folder (i.e. D:\Dev\WCF\Test3\Server) and click Properties, then Web Sharing, and click Share this folder, then click OK.

Step 2. Add a Hello World Method
In Service.cs, you'll add your Hello World method:

Add the HelloWorld operation contract below public interface: [ServiceContract()]
public interface IMyService
{
    [OperationContract]
    string MyOperation1(string myValue1);
    [OperationContract]
    string MyOperation2(DataContract1 dataContractValue);
    [OperationContract]
    string HelloWorld();
}
Add your HelloWorld method below public class MyService : public class MyService : IMyService
{
    public string MyOperation1(string myValue1)
    {
        return "Hello: " + myValue1;
    }
    public string MyOperation2(DataContract1 dataContractValue)
    {
        return "Hello: " + dataContractValue.FirstName;
    }
    public string HelloWorld()
    {
        return "Hello World";
    }
}

Compile and debug any errors.
Step 3. Test your WCF service

In IIS Manager, under Default Web Site, right-click expand Server (the virtual directory you just created)
Right-click Service.svc and click Browse.

There's two issues you might hit here:

You don't have ASP.NET installed/enabled. To fix this, first run aspnet_regiis /i from your .NET installation directory (C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727) Then, allow ASP.NET in your IIS Manager. To do so, in IIS Manager, expand Web Service Extensions, select ASP.NET v.2.0.50727 and click Allow.
You might see "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service." To fix this, first enable anonymous access. In IIS Manager, right click your v-dir (Server), click Properties, click Directory Security, click Edit under Authentication and Access control, click Enable Anonymous Access, then OK your way out of the dialogues. Next, recycle IIS. In a command prompt, type IISreset. If successful, when you browse your Service.svc file from IIS Manager (e.g. http://localhost/service/service.svc). you'll get a message that starts with the following:
This is a Windows© Communication Foundation service.
Metadata publishing for this service is currently disabled.

Step 4. Enable meta-data for your WCF Service.

In VSTS, right-click Web.config and click Edit WCF Configuration. In WCF Configuration, expand Advanced, then expand Service Behaviors, then
right-click returnFaults and click Add Service Behavior Element Extension. Select serviceMetadata and click Add.
In WCF configuration, select serviceMetadata and change HttpGetEnabled to True. Close the dialogue and save changes.
Test your service again. Browse to http://localhost/Server/Service.svc and this time you should see your service (e.g. MyService Service). You
will see a message that starts with the following:
"You have created a service."

Step 5. Create the test client.
In this step, we'll create a quick console app to call the WCF service:

In Visual Studio, click File -> New -> Project
Select Console Application.
Browse to a directory to store your test client: (e.g. D:\Dev\WCF\Test1\WCFClient)

Step 6. Add a Web Services reference to your WCF Service.
In this step, we'll add a Web Services reference.

Right-click References
Click Add Web Reference ...
In the Add Web Reference dialogue, add the path to your WCF Service (http://localhost/Server/Service.svc)
Click Add Reference to close the dialogue. You should then see your Web Service reference show up under Web References.

Step 7. Add the namespace to your

Browse to your Reference.cs file. You'll find the file below Reference.map under your Web service reference. You might need to click the Show All Files button on the Solution Explorer so you can see the files under your Web service reference.
Find the namespace. You'll see a line similar to the following:
namespace ConsoleApplication1.localhost
Add the using statement to your Program.cs file.
using ConsoleApplication1.localhost;

Step 8. Call your WCF service
In your test client, call your WCF service:
        static void Main(string[] args)
        {
            MyService service = new MyService();
            string foo;
            foo = service.HelloWorld();
            Console.WriteLine(foo);
        }
When you compile and run your console application, you should see the following:
Hello World
Press any key to continue . . .

Additional Resources

Hopefully this step through helps you quickly see some of the bits and pieces you can play with.