Configure Endpoint Dialog Box: Authentication Tab

  • Article

Use the Authentication tab in the Configure Endpoint dialog box to view security settings for a specific endpoint. All the fields in this dialog box are read-only and cannot be changed. The Configure Endpoint dialog box is invoked in many ways.

  • From the Configure Service dialog box by selecting the Endpoints tab, selecting a specific endpoint, and then clicking Edit.

  • From the Endpoints list (within Features View) by selecting a specific endpoint, and click Configure in the context menu or Action pane. You can view the Endpoints list by performing one of the following operations.

    • At the server, site or application scopes, double-click Endpoints in the Features View to view the Endpoints Page, which has the Endpoints list.

    • At the server, site or application scopes, double-click Services in the Features View, right-click the service, and then click View Endpoints.

For more information on common Windows Communication Foundation (WCF) security scenarios, refer to Common Security Scenarios (https://go.microsoft.com/fwlink/?LinkId=166483).

Dialog Options

Field

Description

Security mode:

The security mode setting determines how the endpoint will receive requests or transmit responses. It represents the value of the mode attribute in the configuration file. The value displayed depends upon the particular binding used for this endpoint. Valid values include the following:

  • None - No security is used during message transmission.

  • Transport - Security is implemented at the transport level. It uses a transport-level protocol, such as HTTPS, to achieve transfer security. Transport mode has the advantage of being very efficient, widely adopted, available on many platforms, and less computationally complex. However, it has the disadvantage of securing messages only from point-to-point.

  • Message - Security is implemented at the individual message level. It uses security specifications, such as WS-Security, to implement security. Message security is applied directly to the SOAP messages and is contained inside the SOAP envelopes alongside the application data. This has the advantage of being transport protocol-independent, more extensible, and ensures end-to-end security (versus point-to-point). However, it has the disadvantage of being many times slower than transport security mode due to the textual XML composition of SOAP messages.

Transport credential type:

The transport credential type specifies the type of client credential to be used when performing the authentication. It represents the value of the transport attribute in the configuration file. Valid values include the following:

  • None - No client authentication is used at the transport level.

  • Windows - Windows integrated authentication of the client using Kerberos negotiation. You must create the domain or local user accounts corresponding to client credentials. In addition, the client's userPrincipalName element must be configured with the user account name running this receive handler.

  • Certificate - Client authentication using client certificates. To authenticate the client certificates, the CA (Certificate Authority) certificate chain for the client certificates must be installed in the Trusted Root Certification Authorities certificate store of this computer.

Message credential type:

The message credential type specifies the type of client credential to be used when performing authentication. The client credential is passed through the SOAP Header element. It represents the value of the message attribute in the configuration file. Valid values can include the following:

  • None – Allows the service to interact with anonymous clients.

  • Windows - Allows the SOAP exchanges to be under the authenticated context of a Windows credential. You must create the domain or local user accounts corresponding to client credentials. In addition, the client's userPrincipalName element must be configured with the user account name running this receive handler.

  • UserName - Clients are authenticated to with a UserName credential. You must create the domain or local user accounts corresponding to client credentials.

  • Certificate - Clients are authenticated using a client certificate specified. To authenticate the client certificates, the CA certificate chain for the client certificates must be installed in the Trusted Root Certification Authorities certificate store of this computer.

Service certificate:

If the specified binding supports client authentication through either Message or Transport security, and the service to which this endpoint belongs has a serverCertificate element (serverCredentials behavior) in the configuration file, then Configured is displayed. If either of these is not the case, then Not Configured is displayed. This field is read-only and cannot be changed.

Configuration Changes

The following configuration elements and attributes support the fields displayed in this dialog box: security mode, transport, message, and serviceCertificate.

<system.serviceModel>
  <bindings>
    <XXXXXXBinding>
      <binding>
        <security mode="">
          <transport/> 
          <message/>
        </security>
      </binding>
    </XXXXXXBinding>
  </bindings>
  <behaviors>
    <serviceBehaviors>
      <behavior name="b1">
        <serviceCredentials>
          <serviceCertificate findValue="Contoso.com"
                              x509FindType="FindBySubjectName" />
        </serviceCredentials>
      </behavior>
    </serviceBehaviors>
  </behaviors>
</system.serviceModel>

  2012-03-29