I have a WCF service which is exposed using a single endpoint with netTcpBinding which sits on Server A, hosted on IIS7.5/WAS on our internal LAN on our domain.
This service is then consumed by an ASP.NET web client application sitting on Server B, also hosted on IIS7.5 with an external hosting provider outside of our domain, and linked to our LAN via a VPN secured to allow only traffic between Server A and Server B.
During development while I was testing the concept I ran the web client application on another IIS server internally on our domain using binding security mode="Transport"
and transport clientCredentialType="Windows"
which worked fine.
I then moved the web client application to the external Server B for further proof-of-concept testing setting the binding security mode="None"
, as obviously with this server being outside of our domain I cannot use Windows authentication, and it still works fine.
What I need to do now, to enable the switch back to using transport security is to set the clientCredentialType="Certificate"
, as you cannot have transport security with clientCredentialType="None"
.
This is where I have started to come unstuck. I seem to be going around in circles as to where in the web.config
of the service and the client web.config
to define the certificate and where to store which bits of the certificate.
Essentially what I'm trying to do is authenticate that Server B is indeed Server B calling the service on Server A, thus preventing any spoofing or DNS subversion issues, which could result in the service at Server A being illegally accessed.
My thinking is that I need to create a certificate for Server B to which Server A holds the public key to validate it? If this is the case Server B already has a wildcard SSL certificate installed on it as it serves various applications of ours as subdomains. Could this certificate be used for the WCF authentication?
None of the SO questions I've found seem to cover this, and all the various websites and book examples I've found aren't that clear. It's starting look like WCF configuration is somewhat of a black art.
This is all built using .NET 4 and Visual Basic. Any help would be greatly appreciated.