WCF Security Resources

Contents

• Getting Started
• Articles
• Blogs
• Channel9
• Documentation
• Guides
• Posts
• patterns & practices
• Product Support Services (PSS)
• Samples
• Videos
• WebCasts

Getting Started

Microsoft

• Microsoft MSDN® Library: Fundamental Windows Communication Foundation Concepts
• MSDN Library: Windows Communication Foundation Security
• WCF Security Documentation: Security Overview

Community

• DevX.com: Fundamentals of WCF Security by Michèle Leroux Bustamante
• TheServerSide.NET: WCF Security Learning Guide by Brent Sheets

Articles

Microsoft

• MSDN Library: “The .NET Developer's Guide to Identity,” by Keith Brown
• MSDN Magazine: “Identity: Secure Your ASP.NET Apps And WCF Services With Windows CardSpace,” by Michèle Leroux Bustamante
• MSDN Magazine: “IIS 7.0: Extend Your WCF Services Beyond HTTP With WAS,” by Dominick Baier, Christian Weyer, and Steve Maine
• MSDN Magazine: “Security Briefs: Exploring Claims-Based Identity,” by Keith Brown
• MSDN Magazine: “Security Briefs: Limited User Problems and Split Knowledge,” by Keith Brown
• MSDN Magazine: “Security Briefs: Security in Windows Communication Foundation,” by Keith Brown
• MSDN Magazine: “Service Station: WCF Messaging Fundamentals,” by Aaron Skonnard

Community

• DevX.com: “Fundamentals of WCF Security,” by Michèle Leroux Bustamante
• TheServerSide.NET: “Building a Claims-Based Security Model in WCF,” by Michèle Leroux Bustamente
• TheServerSide.NET: “Building a Claims-Based Security Model in WCF — Part 2,” by Michèle Leroux Bustamente
• TheServerSide.NET: “Securing Your WCF Service,” by William Tay
• TopXML :”BizTalk and WCF: Part II, Security Patterns,” by Richard Seroter

Blogs

Microsoft

• J.D. Meier — https://blogs.msdn.com/jmeier/archive/tags/WCF/default.aspx
• Kim Cameron — http://www.identityblog.com/
• Kenny Wolf — http://kennyw.com/category/indigo
• Nicholas Allen — https://blogs.msdn.com/drnick/
• Ralph Squillace — https://blogs.msdn.com/ralph.squillace/
• Steve Maine — http://hyperthink.net/blog/
• Tomasz Janczuk —http://www.pluralsight.com/community/blogs/tjanczuk/
• Vittorio Bertocci — https://blogs.msdn.com/vbertocci/
• Wenlong Dong — https://blogs.msdn.com/wenlong/

Community

• Dominick Baier — http://www.leastprivilege.com/
• Keith Brown — http://www.pluralsight.com/community/blogs/keith/
• Michèle Leroux Bustamante — http://www.thatindigogirl.com/
• Thomas Restrepo — http://winterdom.com/2002/03/weblogplunge

Channel9

Podcasts

• ARCast: “Secure, Reliable Transacted Messaging with WCF (Part 1)”
• ARCast: “Secure, Reliable Transacted Messaging with WCF (Part 2)”

ARCast.TV

• ARCast.TV: “WCF Session Behavior from Slovenia”

Videos

• Vittorio Bertocci: “WS-Trust — Under the Hood”

Tags

• WCF tag: https://channel9.msdn.com/tags/WCF/

Documentation

Overview

• Architecture
• Concepts
• Distributed Application Security
• Security Architecture
• Security Overview
• WCF Security Terminology

Guidance

• Best Practices for Queued Communication
• Best Practices for Reliable Sessions
• Security Guidance and Best Practices

Scenarios

• Common Security Scenarios
• Identity Model Scenarios

Threats and Countermeasures

• Threats and Countermeasures

Topics

• Auditing
• Authentication
• Authorization
• Authorization Mechanisms
• Bindings and Security
• Claims-Based Authorization
• Configuration Schema
• Federation and Issued Tokens
• Hosting
• Impersonation and Delegation
• Impersonation with Transport Security
• Message Security in WCF
• Partial Trust
• Reliable Sessions Overview
• SAML Tokens and Claims
• Security Capabilities with Custom Bindings
• Secure Conversations and Secure Sessions
• Secure Sockets Layer (SSL)
• Securing Services and Clients
• Transport Security Overview
• X.509 Certificates

How-to Articles

• How to: Audit Windows Communication Foundation Security Events
• How to: Configure Credentials on a Federation Service
• How to: Configure a Local Issuer
• How to: Configure a Port with an SSL Certificate
• How to: Consistently Reference X.509 Certificates
• How to: Create a Custom Binding Using the SecurityBindingElement
• How to: Create a Federated Client
• How to: Create a Secure Session
• How to: Create a Security Token Service
• How to: Create a Stateful Security Context Token for a Secure Session
• How to: Create a Supporting Credential
• How to: Create Temporary Certificates for Use During Development
• How to: Create a wsFederationHttpBinding
• How to: Create a Custom Reliable Session Binding with HTTPS
• How to: Disable Encryption of Digital Signatures
• How to: Disable Secure Sessions on a wsFederationHttpBinding
• How to: Enable Message Replay Detection
• How to: Exchange Messages Within a Reliable Session
• How to: Impersonate a Client on a Service
• How to: Make X.509 Certificates Accessible to WCF
• How to: Obtain a Certificate (WCF)
• How to: Restrict Access with the PrincipalPermissionAttribute Class
• How to: Retrieve the Thumbprint of a Certificate
• How to: Secure Messages within Reliable Sessions
• How to: Secure a Service with Windows Credentials
• How to: Secure a Service with an X.509 Certificate
• How to: Set Up a Signature Confirmation
• How to: Set a Max Clock Skew
• How to: Specify the Certificate Authority Certificate Chain Used to Verify Signatures (WCF)
• How to: Use the ASP.NET Authorization Manager Role Provider with a Service
• How to: Use the ASP.NET Membership Provider
• How to: Use the ASP.NET Role Provider with a Service
• How to: Use a Custom User Name and Password Validator
• How to: Use Multiple Security Tokens of the Same Type
• How to: Use Transport Security and Message Credentials
• How to: View Certificates with the MMC Snap-in

Guides

Community

• dasblonde.net: “WCF Security Fundamentals,” by Michèle Leroux Bustamante
• TheServerSide.NET: “WCF Security Learning Guide,” by Brent Sheets

Posts

Microsoft

• Alexander Strauss: “WCF — Let's Start The Dialogue”
• Alik Levine: “How To Consume WCF Using AJAX Without ASP.NET”

Community

• Dominick Baier: “Using IdentityModel: Authorization Policies, Context and Claims Transformation”
• Dominick Baier: “Using IdentityModel: Creating Custom Claim Sets”
• Dominick Baier: “Using IdentityModel: Typical Operations on Claim Sets”
• Dominick Baier: “Using IdentityModel: Windows and X509Certificate Claim Sets”
• Dominick Baier: “Using IdentityModel: Inspecting Claim Sets”
• Dominick Baier: “Using IdentityModel: Claim Sets”
• Dominick Baier: “Using IdentityModel: Claims”
• Dominick Baier: “Be careful with ServiceAuthorizationManager.CheckAccess()”
• Dominick Baier: “UserName SupportingToken in WCF”
• Paolo Pialorsi: “WCF Custom Authentication and Impersonation”
• Tomas Restrepo: “WCF Configuration Complexity”

patterns & practices

• WCF Security Guidance Package

Product Support Services (PSS)

• WCF Troubleshooting Quickstart

Samples

Microsoft

• Basic Windows Communication Foundation Technology Samples
• Windows Communication Foundation Samples

Community

• Paolo Pialorsi: “WCF Security Full Demo”

Videos

• MSDN TV: Windows Communication Foundation Bindings and Channels by Clemens Vasters
• MSDN Webcast: Windows Communication Foundation Top to Bottom (Part 10 of 15): Security Fundamentals (Level 200)

WebCasts

MSDN Support WebCasts

• MSDN Support WebCast: Building distributed services on the Windows Communication Foundation