There are many different ways to secure a Web Service. My preferred method is HTTPS on the Transport level (the wire) and authentication by Client Certificates. Here's the way I found how to do it:
Enable HTTPS for the Web Service and Require Client Certificates - Apply the Server Certificate to the Website in IIS.
- Add an HTTPS binding on the Website.
- Require Client Certificates on the Website
- Enable the HTTPS protocol on the Application.
- Add <transport> tag to the <security> tag under the wsHttpBinding binding in web.config.
....
<wsHttpBinding>
<binding name="..." ...>
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
....
Enable WCF client to authenticate with a Client Certificate |