Windows Communication Foundation (WCF) security is built upon concepts already in use and deployed in various security infrastructures.
WCF supports some of those infrastructures, such as Secure Sockets Layer (SSL) over HTTP (HTTPS). However, WCF goes beyond supporting existing security infrastructures by implementing newer interoperable security standards (such as WS-Security) over SOAP-encoded messages. Whether you are using existing mechanisms or new interoperable standards, the security concepts behind both are the same. Understanding the concepts behind existing infrastructures and the newer standards is central to implementing the best security model for an application.
Introduction to Security for WCF Web Services
The Microsoft Patterns and Practices group wrote an in-depth whitepaper on WCF security guidance which is available for download here: WCF Security Guide. This whitepaper describes the fundamental security concepts as they relate to web services, key WCF security concepts, intranet application scenarios, and internet application scenarios.
Industry-Wide Security Specifications
Public Key Infrastructure
Public Key Infrastructure (PKI) is a system of digital certificates, certification authorities, and other registration authorities that verify and authenticate each party involved in an electronic transaction through the use of public key cryptography. For more information, seeWindows Server 2008 R2 Certificate Services.
The Kerberos protocol is a specification for creating a security mechanism that authenticates users on a Windows domain. It allows a user to establish a secure context with other entities within a domain. Windows 2000 and later platforms use the Kerberos protocol by default. Understanding the mechanisms of the system is useful when creating a service that will interact with intranet clients. In addition, since the Web Services Security Kerberos Binding is widely published, you can use the Kerberos protocol to communicate with Internet clients (that is, the Kerberos protocol is interoperable). For more information about how the Kerberos protocol is implemented in Windows, see Microsoft Kerberos.
X.509 certificates are a primary credential form used in security applications. For more information on X.509 certificates see X.509 Public Key Certificates. X.509 certificates are stored within a certificate store. A computer running Windows has several kinds of certificate stores, each with a different purpose. For more information about the different stores, see Certificate Stores.
Web Services Security Specifications
The system-defined bindings support many commonly used web services security specifications. For a complete list of system-provided bindings and the web services specifications they support see: Web Services Protocols Supported by System-Provided Interoperability Bindings
Access Control Mechanisms
WCF provides a number of ways to control access to a service or operation. Among them are
ASP.NET Membership Provider
ASP.NET Role Provider
For more information on these topics see, Access Control Mechanisms