Configuration Management

patterns & practices Developer Center

How do I encrypt sensitive data in the WCF configuration file?

Use the aspnet_regiis.exe tool with the -pe (provider encryption) option to encrypt sections of the configuration files.

For example, to encrypt the connectionStrings section, using the Windows Data Protection API (DPAPI) provider with the machine key store (the default configuration), run the following command from a command prompt:

aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" 
-prov "DataProtectionConfigurationProvider" 

The configuration options for aspnet_regiis are:

  • -pe specifies the configuration section to encrypt.
  • -app specifies your Web application's virtual path. If your application is nested, you need to specify the nested path from the root directory; for example, "/test/aspnet/MachineDPAPI".
  • -prov specifies the provider name.

The .NET Framework supports the RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider protected configuration providers:

  • RSAProtectedConfigurationProvider. This is the default provider. It uses RSA public key encryption to encrypt and decrypt data. Use this provider to encrypt configuration files for use on multiple WCF services in a Web farm.
  • DPAPIProtectedConfigurationProvider. This provider uses DPAPI to encrypt and decrypt data. Use this provider to encrypt configuration files for use on a single Microsoft Windows Server.

You do not need to take any special steps for decryption because the .NET run time takes care of this for you.

Additional Resources

How do I run a WCF Service with a particular identity?

If your service is hosted in IIS 6.0, use IIS Manager to create an application pool running as a specific identity, and then use IIS Manager to assign your WCF service to that application pool.

If your service is hosted in a Windows service, configure the Windows service to run using a particular identity. The WCF service will run under the security context of the Windows service.

Running a WCF service with a specific identity helps to isolate your service, allows you to restrict service resources to your application's account, and allows you to use Windows auditing to track the activity of the application separately from other applications or services.

How do I create a service account for running my WCF Service?

Perform the following steps to create a service account to run your WCF service:

  1. Create a Windows account.
  2. Run the following aspnet_regiis.exe command to assign the relevant ASP.NET permissions to the account:
    aspnet_regiis.exe -ga machineName\userName 
    This step is required when your application needs to run in ASP.NET compatibility mode; otherwise, you can skip this step.

  3. Use the Local Security Policy tool to grant the Windows account the Deny logon locally user right. This reduces the privileges of the account and prevents anyone from logging onto Windows locally with this account.

Additional Resources

When should I use a configuration file versus the WCF object model?

In general, you should configure your WCF service and clients using the web.config or app.config files. Using configuration files allows you to change transport, security, and other settings without having to rewrite and recompile your code. Object model code will override configuration settings, so you can use a combination of both if necessary.

What is a metadata exchange (mex) binding?

A metadata exchange (mex) endpoint publishes the metadata for the service. The service metadata is consumed by clients to create a proxy and then call the service. The endpoint supports a standard for exchanging the metadata; WCF provides the implementation in the form of IMetadataExchange.

As with any other endpoint, the metadata endpoint consists of address, contract, and binding. The metadata bindings are the means by which clients interact with the service and get the metadata for generating the proxies.

Several out-of-box bindings such as mexHttpBinding, mexHttpsBinding, and mexTcpbinding are available to support specific protocols.

Additional Resources

How do I keep clients from referencing my service?

To stop your service from publishing metadata, remove all the mex endpoints from your service configuration and configure httpGetEnabled and httpsGetEnabled to False in the ServiceBehavior section, as shown below:

 <serviceMetadata httpGetEnabled="False" httpsGetEnabled="False"/>

Additional Resources