wcf-security

I have an existing working WPF Application in which I have implemented my own custom authentication to a backend WCF service. When I access this service from WPF, setup the ServiceProxy as follows: proxy.ClientCredentials.UserName.UserName = "test"; proxy.ClientCredentials.UserName.Password = "pass"; and because I'm using HTTPS the uid/pwd is secure. In Silverlight 2 there is no .ClientCredentials object on the proxy. The only option I've found is to add two string parameters to EVERY WCF Exposed method for Uid/Pwd. That sounds like insanity to me, there MUST be a better way, no? Unfortunately

I have a self-hosted WCF service with netTcpBinding bindings. Both my servers and clients will all be in the same domain, so I'd like to use windows authentication, but I'd also like the clients to verify server credentials (to avoid an internal man-in-the-middle/dns tampering attack). I've read that the way to do this is to use an SPN, but I can't seem to get that to work; no matter what the spn is set to the client works (i.e. the server and client don't match, but the client connects anyway). Obviously I've got some kind of configuration error, but I'm not sure where. Here is the service

I am attempting to secure a new .Net 4.5 WCF service using HTTPS / SSL, Basic client credentials and the WebHttpBinding . From reading up online I found a good series of Blog Posts from Allen Conway which I have used as a template. WCF configuration <system.serviceModel> <bindings> <webHttpBinding> <binding name="webInteropSecureBinding" allowCookies="false" maxBufferPoolSize="2097152" maxBufferSize="2097152" maxReceivedMessageSize="2097152"> <security mode="Transport"> <transport clientCredentialType="Basic"></transport> </security> </binding> </webHttpBinding> </bindings> <services> <service

Firstly, Thanks to all those patient techies trying to help unknown people. Secondly, I have a wcf service which should be consumed by only several clients (10) known to our company. This wcf service has the x509certificate "CN=ABCD". Now it expects to receive a certificate in turn from clients to consume this service. So here are the design questions Should I create one certificate "CN=ABCD" , then right click on it and export as pfx files and distribute them to Clients? Some say to validate in code and some say to validate in config which is better? How should I know which client is calling

I am using WCF Message level security with the following wsHttpBinding <security mode="Message"> <message clientCredentialType="Windows" establishSecurityContext="false" /> </security> Each time i call the service is a separate operation, and there is no need to keep any session state. I am running into a problem with load balancer, because WCF keeps re-using security tokens, so if the first call goes to NodeA, it creates a security token which is re-used. If that token is passed to NodeB tripping up MessageSecurityException Seems like microsofts answer to this is to use sticky sessions, which