Common Security Scenarios
The topics in this section catalog a number of possible client and service security configurations. Configurations vary according to a number of factors. For example, whether a service or client is on an intranet, or whether the security is provided by Windows or transport (such as HTTPS).
Internet Unsecured Client and Service
An example of a public, unsecured client and service.
Intranet Unsecured Client and Service
A basic Windows Communication Foundation (WCF) service developed to provide information on a secure private network to a WCF application.
Transport Security with Basic Authentication
The application allows clients to log on using custom authentication.
Transport Security with Windows Authentication
Shows a client and service secured by Windows security.
Transport Security with an Anonymous Client
This scenario uses transport security (such as HTTPS) to ensure confidentiality and integrity.
Transport Security with Certificate Authentication
Shows a client and service secured by a certificate.
Message Security with an Anonymous Client
Shows a client and service secured by WCF message security.
Message Security with a User Name Client
The client is a Windows Forms application that allows clients to log on using a domain user name and password.
Message Security with a Certificate Client
Servers have certificates, and each client has a certificate. A security context is established through Transport Layer Security (TLS) negotiation.
Message Security with a Windows Client
A variation of the certificate client. Servers have certificates, and each client has a certificate. A security context is established through TLS negotiation.
Message Security with a Windows Client without Credential Negotiation
Shows a client and service secured by a Kerberos domain.
Message Security with Mutual Certificates
Servers have certificates, and each client has a certificate. The server certificate is distributed with the application and is available out of band.
Message Security with Issued Tokens
Federated security that enables the establishment of trust between independent domains.
A client accesses one or more Web services that are distributed across a network. The Web services access additional resources (such as databases or other Web services) that must be secured.