WCF Transport Security

When using transport security, the user credentials and claims are passed using the transport layer. In other words, user credentials are transport-dependent, which allows fewer authentication options compared to message security. Each transport protocol (TCP, IPC, MSMQ, or HTTP) has its own mechanism for passing credentials and handling message protection. The most common approach for this is to use Secure Sockets Layer (SSL) for encrypting and signing the contents of the packets sent over Secure HTTP (HTTPS).

Transport security is used to provide point-to-point security between the two endpoints (service and client). If there are intermediary systems between the client and the service, each intermediate point must forward the message over a new SSL connection.



Use transport security for the following scenarios:

• You are sending a message directly from your application to a WCF service and the message will not be routed through intermediate systems.
• You have both the service and the client in an intranet.

Using transport security has the following advantages:

• It provides interoperability, meaning that communicating parties do not need to understand the WS-Security specification.
• It may result in better performance.
• Hardware accelerators can be used to further improve performance.

Using transport security has the following disadvantages:

• Because security is applied on a point-to-point basis, there is no provision for multiple hops or routing through intermediate application nodes.
• It supports a limited set of credentials and claims compared to message security.
• It is transport-dependent upon the underlying platform, transport mechanism, and security service provider such as NTLM or Kerberos