Using Wcf SSl certificate over Tcp without client certificate (Server side only)

Question

Is there any way to use WCF SSL with NetTcpBinding that would not require a client certificate to be installed on the client machine? (SSL V2 if i\'m not mistaken).

Answer 1

it you are using netTcpBiding and need to use Transport security then you have 3 options, the first option requires service cert, the second requires no cert at all, the third requires both service cert and client cert. for your scenario, you should use option1 that will authenticate the service via it's cert and will proice Confidentiality and Integrity for the messages.

C >> Confidentiality
I >> Integrity
A >> Authentication (That will happen for the client)

1- Option one provide (C + I) no authentication will happen for the client, In this case the TCP SSL (not the HTPS SSL) will be used to provide the C and I, and the service will be

<!--//Below are the configuration for both the service and the client-->
<netTcpBinding>
    <binding name="TcpSecureBinding">
      <security mode="Transport">
        <transport clientCredentialType="None"></transport>
      </security>
    </binding>
  </netTcpBinding>

also because the TCP SSL will be used then the service must provide a certificate for the client, so you need to install a certificate in the server and conigure the service to use this certificate to prove it's identity, also you need to install the root certificate authority certificate for the service certificate on the client machine (typically in the LocalMachine/Trusted Root Certification Authorities), and the service need to have the below behavior to specify the certificate for the service

<serviceBehaviors>
    <behavior>
      <serviceCredentials>
        <serviceCertificate findValue="localhost"
                            x509FindType="FindByIssuerName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>

2- option two provide (A+ [C + I]), the C and I are optional as you configure via the protectionLevel element. the client auth will be windows auth (Typically will use Windows Stream Security to achieve the A, C and I)

<!--//Below are the configuration for both the service and the client-->
<netTcpBinding>
    <binding name="TcpSecureBinding">
      <security mode="Transport">
        <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"></transport>
      </security>
    </binding>
  </netTcpBinding>

3- option 3 provide (A + C + I), the C and I are not optional and the client authentication will be via client certificate (each client must have his own certificate ), In this case the TCP SSL (not the HTPS SSL) will be used to provide the A, C and I.

<!--//Below are the configuration for both the service and the client-->
<binding name="TcpSecureBinding">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"></transport>
      </security>
    </binding>

also because the TCP SSL will be used then the service must provide a certificate for the client, so you need to install a certificate in the server and conigure the service to use this certificate to prove it's identity, also you need to install the root certificate authority certificate for the service certificate on the client machine (typically in the LocalMachine/Trusted Root Certification Authorities), and the service need to have the below behavior to specify the certificate for the service

<serviceBehaviors>
    <behavior>
      <serviceCredentials>
        <serviceCertificate findValue="localhost"
                            x509FindType="FindByIssuerName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>