In the .net 3.0 world you can use WS Http Bindings for your web services. Where your service has to be interoperable with other clients you can also expose a basic Http binding. This works fine, but you don’t automatically get things like security and passing of user credentials. To enhance the basic binding you can take advantage of different security settings; one of which is TransportWithMessageCredentials, this means that the transport of the messages is secured and so the message can include plain text credentials without compromising security. This requires a secure transport method, in this case https (SSL).
Setting up a Windows 2003 machine to use SSL (in IIS)
There are several ways of doing this, each with their own frustrations. The method below is the one which actually worked for me (after some methods that didn’t!).
- Control Panel | Add or Remove Programs | Add/Remove Windows Components
- Select Certificate Services
- Install as a root
- Open IIS
- Right click on the default web site and select properties
- Directory Security | Server Certificate
- ‘Assign an existing Certificate’
- Choose the certificate with the name that matches your machine name
Make Visual Studio use an SSL enabled host for the WCF Service
It does not appear to be possible to convert an existing Visual Studio website to an SSL one (and allow it to be debugged with SSL). Therefore you should:
- “add existing website” to your solution.
- Choose Local IIS
- Create a new web application where desired
- check the box to enable SSL (Use Secure Sockets Layer)
- Right click the generated website project and select properties
- Add a reference to your implementation project
- Copy any existing web.config and *.svc files to your new website.
Now right click on the host project and select browse. (note: if the address does not include the filename you may need to manually add this in your browser) If you can see the service/wsdl and the address is https you have succeeded!
Modify your web.config to include a basic binding with transport level security
Use the following binding (play around with the different transport/message security modes if you like):
<security mode=”TransportWithMessageCredential” >
Now in your <service> reference the new binding configuration