What's the simplest security method of a WCF service

It's running into an Intranet, .net framework 3.5, hosted in IIS 7.0 and it's using wsHttpBinding with null security. Now I have to protect it to allow only specific users can run it.

Seems that I should use SSL and certificates but I'd really like stay away of that because looks complex, basically I'm looking for the simplest way.

I took a look to netTcpBinding and seems to me this is the right way, if so, can you confirm if using net.tcp it would be able to be consumed by some asp.net site.

Any comments are welcome.

Thanks,

Solution

In your case you have an intranet, which means that you have internal users. It depends where the call to the WCF service is coming from.

If we assume:

Internal users, who login to a windows domain
The client machines and the server are in the same domain
The user runs a windows app on their machine, which makes the WCF call

Then the simplest solution is to use windows authentication

The client makes the call in the security context of the logged on user
The server checks the group membership of the user to determin if it should allow access