netTcpBinding without Windows credentials?

Scott P picture Scott P · Aug 3, 2009 · Viewed 7.8k times · Source

I've got a machine-control application where I have a single client computer and five server boxes communicating on the machine subnet. There is no domain controller. I would like to use netTcpBinding to allow for reliability and transaction support.

Is is possible to use username / password authentication with this binding, when a domain controller is not present? I would prefer not to use a certificate as I don't want to manage certificates across 900 computers (150 machines) that will not be connected to the office LAN.

Answer

marc_s picture marc_s · Aug 3, 2009

Yes, of course - but only if you use Message security (rather than transport security). Define your binding configuration like so:

  <netTcpBinding>
    <binding name="UserNameSecurity">
      <security mode="Message">
        <message clientCredentialType="UserName"/>
      </security>
    </binding>
  </netTcpBinding>

and then reference that binding configuration in your endpoints (on server and client):

 <endpoint address="....."
           binding="netTcpBinding"
           bindingConfiguration="UserNameSecurity"
           contract="IMyService" />

Marc

UPDATE:
Ah, yes, on the server-side, you'll need a certificate to authenicate the service to the client calling it, and it's also used to encrypt+sign the messages. That's on the server only - clients need not install anything.

Configuration:

<behaviors>
  <serviceBehavior>
    <behavior name="ServerInternet">
      <serviceCredentials>
        <serviceCertificate
           findValue="MyServiceCertificate"
           storeLocation="LocalMachine"
           storeName="My"
           x509FindType="FindBySubjectName" />
      </serviceCredentials>
    </behavior>
  </serviceBehavior>
</behaviors>
<services>
  <service name="MyServiceInternet"
           behaviorConfiguration="ServerInternet">
     ....
  </service>
</services>

Make sure to install your server's certificate into the "Local Machine" folder on your server, under the "subject name" that you specify in your config.