Information
The topic you requested is included in another documentation set. For convenience, it's displayed below. Choose Switch to see the topic in its original location.

SslStreamSecurityBindingElement Class

Represents a custom binding element that supports channel security using an SSL stream.

Namespace:  System.ServiceModel.Channels
Assembly:  System.ServiceModel (in System.ServiceModel.dll)
public class SslStreamSecurityBindingElement : StreamUpgradeBindingElement, 
	ITransportTokenAssertionProvider, IPolicyExportExtension

The SslStreamSecurityBindingElement type exposes the following members.

  NameDescription
Public methodSupported in .NET for Windows Store appsSslStreamSecurityBindingElement()Initializes a new instance of the SslStreamSecurityBindingElement class.
Protected methodSslStreamSecurityBindingElement(SslStreamSecurityBindingElement)Initializes a new instance of the SslStreamSecurityBindingElement class using the values from another SslStreamSecurityBindingElement.
Top
  NameDescription
Public propertyIdentityVerifierGets or sets the identity verifier for this binding.
Public propertyRequireClientCertificateGets or sets a value that specifies whether a client certificate is required for this binding.
Top
  NameDescription
Public methodSupported in .NET for Windows Store appsBuildChannelFactory<TChannel>Creates a channel factory of a specified type. (Overrides BindingElement.BuildChannelFactory<TChannel>(BindingContext).)
Public methodBuildChannelListener<TChannel>Creates a channel listener of a specified type. (Overrides BindingElement.BuildChannelListener<TChannel>(BindingContext).)
Public methodBuildClientStreamUpgradeProviderCreates an instance on the client of the StreamUpgradeProvider based on the channel context provided. (Overrides StreamUpgradeBindingElement.BuildClientStreamUpgradeProvider(BindingContext).)
Public methodBuildServerStreamUpgradeProviderCreates an instance on the server of the StreamUpgradeProvider based on the channel context provided. (Overrides StreamUpgradeBindingElement.BuildServerStreamUpgradeProvider(BindingContext).)
Public methodSupported in .NET for Windows Store appsCanBuildChannelFactory<TChannel>Gets a value that indicates whether a channel factory of the specified type can be built. (Overrides BindingElement.CanBuildChannelFactory<TChannel>(BindingContext).)
Public methodCanBuildChannelListener<TChannel>Gets a value that indicates whether a channel listener of the specified type can be built. (Overrides BindingElement.CanBuildChannelListener<TChannel>(BindingContext).)
Public methodSupported in .NET for Windows Store appsCloneCreates a new instance that is a copy of the current instance. (Overrides BindingElement.Clone().)
Public methodSupported in .NET for Windows Store appsEquals(Object)Determines whether the specified object is equal to the current object. (Inherited from Object.)
Protected methodSupported in .NET for Windows Store appsFinalizeAllows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
Public methodSupported in .NET for Windows Store appsGetHashCodeServes as the default hash function. (Inherited from Object.)
Public methodSupported in .NET for Windows Store appsGetProperty<T>Gets a specified object from the BindingContext. (Overrides BindingElement.GetProperty<T>(BindingContext).)
Public methodGetTransportTokenAssertionGets the XmlElement that represents the transport token used in the security binding.
Public methodSupported in .NET for Windows Store appsGetTypeGets the Type of the current instance. (Inherited from Object.)
Protected methodSupported in .NET for Windows Store appsMemberwiseCloneCreates a shallow copy of the current Object. (Inherited from Object.)
Public methodShouldSerializeIdentityVerifierGets a value that indicates whether the identify verifier should be serialized.
Public methodSupported in .NET for Windows Store appsToStringReturns a string that represents the current object. (Inherited from Object.)
Top
  NameDescription
Explicit interface implemetationPrivate methodIPolicyExportExtension.ExportPolicyExports a custom policy assertion about bindings.
Top

Transports that use a stream-oriented protocol such as TCP and named pipes support stream-based transport upgrades. Specifically, Windows Communication Foundation (WCF) provides security upgrades. The configuration of this transport security is encapsulated by this class as well as by SslStreamSecurityBindingElement, which can be configured and added to a custom binding. In addition, a third party can write their own custom StreamSecurityBindingElement. These binding elements extend the StreamUpgradeBindingElement class that is called to build the client and server stream upgrade providers.

A custom binding contains a collection of binding elements arranged in a specific order: the element that represents the top of the binding stack is added first, the next element down in the binding stack is added second, and so on.

To add this class to a binding

  1. Create a BindingElementCollection.

  2. Create custom binding elements that are above this binding element in the binding stack, such as the optional TransactionFlowBindingElement and ReliableSessionBindingElement.

  3. Add the created elements in the order described previously to the BindingElementCollection using the InsertItem method.

  4. Create an instance of SslStreamSecurityBindingElement and add it to the collection.

  5. Add any additional custom binding elements to the collection, such as TcpTransportBindingElement.

There are three scenarios in which you must either manually specify the correct UPN/SPN on the client endpoint after importing the WSDL, or specify a custom IdentityVerifier on the client’s SslStreamSecurityBindingElement.

  1. No service identity is published in WSDL. SspiNegotiatedOverTransport and HTTPS are used (for example, a WSHttpBinding with SecurityMode = TransportWithMessageCredential). If the service is not running with the machine identity, you must manually specify the correct UPN/SPN on the client endpoint after importing the WSDL.

  2. DNSservice identity is published in WSDL. SspiNegotiatedOverTransport and SslStreamSecurityBindingElement are used (for example, NetTcpBinding with SecurityMode = TransportWithMessageCredential) instead of a UPN/SPN. If the service is not running with the machine identity, or the DNS identity is not the machine's identity, you must manually specify the correct UPN/SPN on the client endpoint after importing the WSDL.

  3. DNS identity is published in WSDL. If SslStreamSecurityBindingElement is overridden on the client, you must specify a custom IdentityVerifier on the client's SslStreamSecurityBindingElement.

The following code shows how to manually specify the correct UPN/SPN on the client endpoint, as well as how to specify a custom IdentityVerifier on the client's SslStreamSecurityBindingElement.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;
using System.Security.Cryptography.X509Certificates;
using System.ServiceModel;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;
using System.ServiceModel.Security;
using System.Xml;

namespace ServiceNamespace
{
    [ServiceContract]
    interface IService
    {
        [OperationContract]
        void DoSomething();
    }

    class DnsIdentityVerifier : IdentityVerifier
    {
        DnsEndpointIdentity _expectedIdentity;

        public DnsIdentityVerifier(EndpointAddress serviceEndpoint)
        {
            _expectedIdentity = new DnsEndpointIdentity(serviceEndpoint.Uri.DnsSafeHost);
        }

        public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)
        {
            Claim dnsClaim = authContext.Claims().Single(claim => claim.ClaimType == ClaimTypes.Dns);
            return String.Equals(_expectedIdentity.IdentityClaim.Resource, dnsClaim.Resource);
        }

        public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity)
        {
            identity = _expectedIdentity;
            return true;
        }
    }

    static class LinqExtensionForClaims
    {
        public static IEnumerable<Claim> Claims(this AuthorizationContext authContext)
        {
            if (null != authContext.ClaimSets)
            {
                foreach (ClaimSet claimSet in authContext.ClaimSets)
                {
                    if (null != claimSet)
                    {
                        foreach (Claim claim in claimSet)
                        {
                            yield return claim;
                        }
                    }
                }
            }
        }
    }

    class Service : IService
    {
        public void DoSomething()
        {
            Console.WriteLine("Service called.");
        }
    }

    class Program
    {
        static void Main(string[] args)
        {
            string hostname = Dns.GetHostEntry(String.Empty).HostName;
            NetTcpBinding serviceBinding = new NetTcpBinding(SecurityMode.TransportWithMessageCredential);

            ServiceHost serviceHost = new ServiceHost(typeof(Service), new Uri(String.Format("net.tcp://{0}:8080/Service", hostname)));
            serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "8a 42 1b eb cf 8a 14 b1 de 83 d9 a5 70 88 0a 62 f9 bf 69 06");
            ServiceEndpoint serviceEndpoint = serviceHost.AddServiceEndpoint(typeof(IService), serviceBinding, "Endpoint");
            serviceHost.Open();

            CustomBinding clientBinding = new CustomBinding(serviceBinding.CreateBindingElements());
            SslStreamSecurityBindingElement sslStream = clientBinding.Elements.Find<SslStreamSecurityBindingElement>();
            sslStream.IdentityVerifier = new DnsIdentityVerifier(serviceEndpoint.Address);

            ChannelFactory<IService> channelFactory = new ChannelFactory<IService>(clientBinding, new EndpointAddress(serviceEndpoint.Address.Uri, UpnEndpointIdentity.CreateUpnIdentity("username@domain")));
            channelFactory.Credentials.Windows.AllowNtlm = false;
            IService channel = channelFactory.CreateChannel();
            channel.DoSomething();
        }
    }

.NET Framework

Supported in: 4.5.1, 4.5, 4, 3.5, 3.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

.NET for Windows Store apps

Supported in: Windows 8

Windows Phone 8.1, Windows Phone 8, Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
Show:
© 2014 Microsoft. All rights reserved.