WCF username without certificate

Question

I\'m working on a project where I need the following.

• WCF service on the server side (.NET 3.5)
• WPF client for the client side (.NET 3.0)

Answer 1

Short answer; you can't. As soon as you use username/password you need some sort of secure channel.

However you don't need certificates on the clients; only on the server.

Answer 2

Actually it's possible, but you will need to implement your own binding.

Yaron Naveh developed a WCF binding that enables clear text username/password over HTTP. His article includes the code for the binding.

Answer 3

I don't know the details of your network infrastructure, but if you are in a Windows domain, you should consider using Windows credentials.

It is possible to use a Message security without certificates if you use Windows credentials. This is the default behavior of the wsHttpBinding (out of the box).

Using the out-of-the-box solutions (without implementing your own binding) WCF encourage (requires) you to use a secure channel whenever authentication credentials are included in the messages.

Using a custom binding that allows you to specify credentials in clear text is surely a solution, but I would think twice before using it.