How to: Configure an IIS-hosted WCF service with SSL

Article
09/15/2021

This topic describes how to set up an IIS-hosted WCF service to use HTTP transport security. HTTP transport security requires an SSL certificate to be registered with IIS. If you do not have an SSL certificate you can use IIS to generate a test certificate. Next you must add an SSL binding to the web site and configure the web site’s authentication properties. Finally you need to configure the WCF service to use HTTPS.

Creating a Self-Signed Certificate

Open Internet Information Services Manager (inetmgr.exe), and select your computer name in the left-hand tree view. On the right-hand side of the screen select Server Certificates
In the Server Certificates window click the Create Self-Signed Certificate…. Link.
Enter a friendly name for the self-signed certificate and click OK.

The newly created self-signed certificate details are now shown in the Server Certificates window.

The generated certificate is installed in the Trusted Root Certification Authorities store.

Add SSL Binding

Still in Internet Information Services Manager, expand the Sites folder and then the Default Web Site folder in the tree view on the left-hand side of the screen.
Click the Bindings…. Link in the Actions section in the upper right hand portion of the window.
In the Site Bindings window click the Add button.
In the Add Site Binding dialog, select https for the type and the friendly name of the self-signed certificate you just created.

Configure Virtual Directory for SSL

Still in Internet Information Services Manager, select the virtual directory that contains your WCF secure service.
In the center pane of the window, select SSL Settings in the IIS section.
In the SSL Settings pane, select the Require SSL checkbox and click the Apply link in the Actions section on the right hand side of the screen.

Configure WCF Service for HTTP Transport Security

In the WCF service’s web.config configure the HTTP binding to use transport security as shown in the following XML.

<bindings>  
      <basicHttpBinding>  
        <binding name="secureHttpBinding">  
          <security mode="Transport">  
            <transport clientCredentialType="None"/>  
          </security>  
        </binding>  
      </basicHttpBinding>  
</bindings>

Specify your service and service endpoint as shown in the following XML.

<services>  
      <service name="MySecureWCFService.Service1">  
        <endpoint address=""  
                  binding="basicHttpBinding"  
                  bindingConfiguration="secureHttpBinding"  
                  contract="MySecureWCFService.IService1"/>  

        <endpoint address="mex"  
                  binding="mexHttpsBinding"  
                  contract="IMetadataExchange" />  
      </service>  
</services>

Example

The following is a complete example of a web.config file for a WCF service using HTTP transport security

<?xml version="1.0"?>  
<configuration>  
  
  <system.web>  
    <compilation debug="true" targetFramework="4.0" />  
  </system.web>  
  <system.serviceModel>  
    <services>  
      <service name="MySecureWCFService.Service1">  
        <endpoint address=""  
                  binding="basicHttpBinding"  
                  bindingConfiguration="secureHttpBinding"  
                  contract="MySecureWCFService.IService1"/>  
  
        <endpoint address="mex"  
                  binding="mexHttpsBinding"  
                  contract="IMetadataExchange" />  
      </service>  
    </services>  
    <bindings>  
      <basicHttpBinding>  
        <binding name="secureHttpBinding">  
          <security mode="Transport">  
            <transport clientCredentialType="None"/>  
          </security>  
        </binding>  
      </basicHttpBinding>  
    </bindings>  
    <behaviors>  
      <serviceBehaviors>  
        <behavior>  
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->  
          <serviceMetadata httpsGetEnabled="true"/>  
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->  
          <serviceDebug includeExceptionDetailInFaults="false"/>  
        </behavior>  
      </serviceBehaviors>  
    </behaviors>  
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />  
  </system.serviceModel>  
  <system.webServer>  
    <modules runAllManagedModulesForAllRequests="true"/>  
  </system.webServer>  
  
</configuration>

Additional resources

Documentation

Configuring HTTP and HTTPS - WCF

Learn how to configure HTTP/HTTPS to allow WCF services and clients to communicate. Configure a URL registration and a Firewall exception by using Netsh.exe.
BasicBinding with Transport Security - WCF

Learn more about: BasicBinding with Transport Security
Transport Security - WCF

Use these references to understand the transport security mechanisms in WFC, how they are implemented, and their options.
HTTP Transport Security - WCF

Learn more about: HTTP Transport Security
Transport Security Overview - WCF

Learn about the major transport security mechanisms in the WCF system-provided bindings. These security mechanisms depend on the binding and transport used.
How to: Set the Security Mode - WCF

Learn how to set the three common WCF security modes on most predefined bindings: Transport, Message, and TransportWithMessageCredential.
WS Transport Security - WCF

Learn more about: WS Transport Security
How to: Create a Custom Reliable Session Binding with HTTPS - WCF

Learn more about: How to: Create a Custom Reliable Session Binding with HTTPS

Training

Module

Configure web app settings - Training

Configure web app settings

Certification

Microsoft Certified: Information Security Administrator Associate(beta) - Certifications

As an Information Security Administrator, you plan and implement information security of sensitive data by using Microsoft Purview and related services. You’re responsible for mitigating risks by protecting data inside collaboration environments that are managed by Microsoft 365 from internal and external threats and protecting data used by AI services. You also implement information protection, data loss prevention, retention, insider risk management, and manage information security alerts and activities.

AI Skills Fest

Share via