How to setup a WCF service using basic Http bindings with SSL transport level security

In the .net 3.0 world you can use WS Http Bindings for your web services. Where your service has to be interoperable with other clients you can also expose a basic Http binding. This works fine, but you don’t automatically get things like security and passing of user credentials. To enhance the basic binding you can take advantage of different security settings; one of which is TransportWithMessageCredentials, this means that the transport of the messages is secured and so the message can include plain text credentials without compromising security. This requires a secure transport method, in this case https (SSL).

Setting up a Windows 2003 machine to use SSL (in IIS)

There are several ways of doing this, each with their own frustrations. The method below is the one which actually worked for me (after some methods that didn’t!).

  • Control Panel | Add or Remove Programs | Add/Remove Windows Components
  • Select Certificate Services
  • Install as a root
  • Open IIS
  • Right click on the default web site and select properties
  • Directory Security | Server Certificate
  • ‘Assign an existing Certificate’
  • Choose the certificate with the name that matches your machine name

Make Visual Studio use an SSL enabled host for the WCF Service
It does not appear to be possible to convert an existing Visual Studio website to an SSL one (and allow it to be debugged with SSL). Therefore you should:

  • “add existing website” to your solution.
  • Choose Local IIS
  • Create a new web application where desired
  • check the box to enable SSL (Use Secure Sockets Layer)
  • Right click the generated website project and select properties
  • Add a reference to your implementation project
  • Copy any existing web.config and *.svc files to your new website.

Now right click on the host project and select browse. (note: if the address does not include the filename you may need to manually add this in your browser) If you can see the service/wsdl and the address is https you have succeeded!

Modify your web.config to include a basic binding with transport level security

Use the following binding (play around with the different transport/message security modes if you like):

<binding name=”basicHttp”>
<security mode=”TransportWithMessageCredential” >
<message clientCredentialType=”UserName”/>

Now in your <service> reference the new binding configuration


About Alex McMahon

I am a software developer, interested in .net, agile, I've previously specialised with .net 3.0 technologies like WCF, whereas now I am trying to specialise in agile development and best practice and patterns. I am obsessed with looking at the latest technologies, tools, and methods, and trying them out. I am currently employed by Rockwell Collins in the UK.
This entry was posted in development, interoperability, Security, wcf, web service. Bookmark the permalink.

8 Responses to How to setup a WCF service using basic Http bindings with SSL transport level security

  1. Jim says:

    Is this post complete? When my client Winforms app calls a method in the web service, I get this error:

    The username is not provided. Specify username in ClientCredentials. ???

  2. Alex McMahon says:

    The post just describes the WCF and related config for this particular binding. Actually setting the client credentials is done in the application code; once you’ve got your client (e.g. instance of generated proxy), you can set the client credentials:

    client.ClientCredentials.UserName.UserName=”user”; client.ClientCredentials.UserName.Password=”pass”;

  3. Vadim says:

    how the hell can I know user’s password????

    • Alex McMahon says:

      I don’t quite understand your question.
      If you mean how can you capture a user’s password so that you can populate “client.ClientCredentials.UserName.Password”. Then it sort of depends on your application; In my current application we have a login screen that captures the user’s username and password (custom credentials), and we then hold onto them within the application to use for authenticating all the WCF calls.

      If you’re using Windows credentials then you don’t really want to follow this post exactly. Instead you need to do something like setting the message client credential type to Windows.

  4. Vadim says:

    Hi Alex,
    Yes, this is correct, i’d like to use Windows authetication (my application has no logon screen), but my service should run over https/ssl and, surprise, WCF specifiction for “TransportWithMessageCredential” doesn’t support “message = Windows”.
    Currently i set the service for “Transport” only, but i’m not sure this is right (from security point of view)

  5. James says:

    Hi Vadim,

    I am having the same issue, I want to sites capture the username/password or token automatically with TransportWithMessageCredential Mode. Anyone got any ideas?



  6. Hari says:

    I tried the above example by setting . I got an exception that said i needed a certificate!!. CAnt i just sent the username and password over the wire without using SSL or certificate?

  7. Pingback: Configuring WCF with BasicHttpBinding and SSL | Rebecca Miller-Webster

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s