I have created WCF and I have used wsHttpBinding and MTOM as message transport with authentcation as "Windows".
Now my service is not current SECURE, its plain HTTP, running on custom port.
Is Windows Authentication of WCF's wsHttpBinding secure? can anyone see the password or guess through network trace?
Environment Information:
Here is the app.config
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="metaAndErrors">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
<serviceAuthorization impersonateCallerForAllOperations="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="CustomServiceHost.CustomService"
behaviorConfiguration="metaAndErrors"
>
<endpoint address="" binding="wsHttpBinding"
bindingConfiguration="wsHttpLargeBinding"
contract="CustomServiceHost.ICustomService"/>
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:89/CustomService" />
</baseAddresses>
</host>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding
name="wsHttpLargeBinding" messageEncoding="Mtom"
maxReceivedMessageSize="2147483647">
<readerQuotas maxArrayLength="512000"/>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
Following is client configuration done at runtime,
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Message.ClientCredentialType
= MessageCredentialType.Windows;
binding.Security.Mode = SecurityMode.Message;
binding.MessageEncoding = WSMessageEncoding.Mtom;
binding.ReaderQuotas.MaxArrayLength = 512000;
CustomServiceClient cc = new CustomServiceClient(
binding,
new EndpointAddress(string.Format(
"http://{0}:89/CustomService",
host.ServerHost))
);
cc.ClientCredentials.Windows.AllowedImpersonationLevel
= System.Security.Principal.TokenImpersonationLevel.Impersonation;
cc.ClientCredentials.Windows.ClientCredential
= new NetworkCredential(host.Username, host.Password);
Thank you, - Akash
Regarding your question about the passwords: Windows Authentication either uses Kerberos or NTLM and neither protocol transfers passwords in clear text.
This information is written here: http://msdn.microsoft.com/en-us/library/ff647076.aspx
You should use Integrated Windows authentication instead of basic authentication because it avoids transmitting user credentials over the network.
This means you do not need SSL to protect your passwords, but if you have other information that is sensitive (in your service calls) then you should consider to use encryption (e.g. SSL). I did not try this, but it should get you started:
http://www.codeproject.com/KB/WCF/WCFSSL.aspx
Another option would be to encrypt the messages (message security instead of transport security). Here is another link that should get you started: