Blog‎ > ‎

Secure a WCF Web Service Running on IIS

There are many different ways to secure a Web Service. My preferred method is HTTPS on the Transport level (the wire) and authentication by Client Certificates. Here's the way I found how to do it:

Enable HTTPS for the Web Service and Require Client Certificates
  1. Apply the Server Certificate to the Website in IIS.
  2. Add an HTTPS binding on the Website.
  3. Require Client Certificates on the Website
  4. Enable the HTTPS protocol on the Application.
  5. Add <transport> tag to the <security> tag under the wsHttpBinding binding in web.config.
        <binding name="..." ...>
            <security mode="Transport">
                <transport clientCredentialType="Certificate"/>
Enable WCF client to authenticate with a Client Certificate