wcf-security

I am consuming a web service internal to my company from ASP.NET. I've used svcutil.exe to connect to the service and generate the bindings and classes from the wsdl. I am able to connect to the dev version, which does not require authentication. Now we are adding in security. My new URI uses https but also requires user credentials. I am very new to WCF, and am trying to determine the way to configure this. From my reading on MSDN , it appears that the way to go is using. UPDATE: Here is the most recent code I've been trying. This incorporates feedback from the answer(s): <system.serviceModel

Can any one explain me, what exactly the role of Service Certificate and what exactly it does in this Combination (Message Security - Client: UserName Validator, Server: Server Certificate).. If you can explain me step by step, it'll be really helpfull. Thanks in advance Service certificate is used as key artifact to establish secure channel between client and server. When client starts communication with server it first validates that certificate is trusted (it must be either installed in clients certification store or it must be issued by the authority the client trusts to). This validation

When I try to run my application from the WCF Test Client I receive the following error: Error: Cannot obtain Metadata from http://localhost:53867/MyAPI.svc If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address. For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata Exchange Error URI: http://localhost:53867/MyAPI.svc Metadata contains a reference that cannot be resolved: 'http://localhost:53867/MyAPI

I need some help with the architechture of a WCF application. The will be a number of services that should be available to serve a number of different clients, e.g. ASP.Net application (JavaScript and/or Silverlight) iPhone Windows Mobile Android Some of the services need authentication and some will be available w/o authentication. I need some advice on the services that need authentication, I want to use username/password credentials over SSL. How (if possible/recommended for all the client types) should I design this in WCF? You can (and should) decouple Authentication from service

I have a working custom UserNamePasswordValidator that calls into my Oracle DB. This class derives from System.IdentityModel.Selectors.UserNamePasswordValidator and the Validate() method returns void. I load my User object from the database, and once the password is validated, I want to stash my "User" object so the service can access it when going about its business. In ASP.NET / Java land I would stash it into a session, or perhaps my overall Controller class. How do I do this from the Validator in WCF? Or, in other words, what is the best practice in WCF land to set a custom User domain