You develop a Windows Communication Foundation (WCF) service that uses basic authentication for client credentials.
This service is currently configured to use message security. The service is hosted on a server in workgroup mode.
Users report that their passwords are stolen when they use public computers.
You need to ensure that messages are secure and users are authenticated.
You prevent the service from being called over HTTP through Microsoft Internet Information Services (IIS) configuration.
What should you do next?
A.
Use the transport security mode and specify None for transport client credential type.
B.
Use the transportWithMessageCredential security mode and specify Basic for the transport client credential type.
C.
Use the message security mode and specify Basic for the transport client credential type.
D.
Use the transportWithMessageCredential security mode and specify None for the transport client credential type.
Explanation:
By default, the wsHttpBinding binding provides HTTP communication. When configured for transport security,
the binding supports HTTPS communication. HTTPS provides confidentiality and integrity protection for the messages
that are transmitted over the wire. However the set of authentication mechanisms that can be used to authenticate
the client to the service is limited to what the HTTPS transport supports. Windows Communication Foundation (WCF)
offers a TransportWithMessageCredential security mode that is designed to overcome this limitation.When this security mode is configured, the transport security is used to provide confidentiality and integrity for the transmitted
messages and to perform the service authentication. However, the client authentication is performed by putting the client credential
directly in the message. This allows you to use any credential type that is supported by the message security mode for the client
authentication while keeping the performance benefit of transport security mode.
B
Sites of interest we have a link to.