Deployment Considerations

• What are the additional considerations for using WCF in a Web farm?
• How do I configure Active Directory groups and accounts for roles-based authorization checks?
• How do I create an X.509 certificate?
• When should I use a service principal name (SPN)?
• How do I configure a least-privileged account for my service?

What are the additional considerations for using WCF in a Web farm?

When hosting your WCF service in a Web farm, use Rivest, Shamir, and Adelman (RSA) encryption instead of Windows Data Protection API (DPAPI) to encrypt your configuration files. RSA is a better choice because it is easier to export RSA key containers and transport them between servers.

If your WCF services are hosted in an IIS Web farm in which multiple servers are addressed using the same endpoint URL, you will need to configure the default identity in IIS to use an explicit host name.

Additional Resources

• For more information on WCF hosting best practices, see Internet Information Services Hosting Best Practices.

How do I configure Active Directory groups and accounts for roles-based authorization checks?

You do not need to do anything special to configure Active Directory groups and accounts for WCF roles-based authorization checks. You can use them directly for either declarative or programmatic authorization.

The following is an example of a declarative authorization check using an Active Directory group in WCF:

[PrincipalPermission(SecurityAction.Demand, Role = "accounting")]
public double Add(double a, double b)
{
    return a + b;
}

The following is an example of a programmatic authorization check using an Active Directory group in WCF:

WindowsPrincipal myPrincipal = new WindowsPrincipal(ServiceSecurityContext.Current.WindowsIdentity);
if(myPrincipal.IsInRole(@"domain\Accounting"))
{
//authorized
}
else
{
//not authorized
}

Additional Resources

• For more information on authorization, see Authorization.
• For Roles.IsUserInRole method information, see Roles.IsUserInRole Method (String).

How do I create an X.509 certificate?

In a production environment, use an X.509 certificate issued by a certificate authority (CA) such as VeriSign. In a development environment, use the MakeCert utility to create a temporary X.509 certificate.

For more information, see How to: Create and Install Temporary Certificates in WCF for Message Security During Development and How to: Create and Install Temporary Certificates in WCF for Transport Security During Development.

Note

Do not use temporary development certificates in a production environment because this will open your communication channel to malicious spoofing, sniffing, and tampering.

Additional Resources

• For more information on working with certificates in WCF, see Working with Certificates.
• For more information on mapping certificates to Windows accounts, see Map certificates to user accounts.
• For more information on mapping certificates to Active Directory, see Mapping Client Certificates with Directory Service Mapping.
• For more information on certificate mapping strategies, see Mapping Strategies.

When should I use a service principal name (SPN)?

You will need to use an SPN under the following conditions:

• If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client.
• If you are using a custom service account and need to use trusted for delegation, create an SPN.
• If you are hosting your service in a Windows service and using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN.

Additional Resources

• For more information on SPN, see Setspn Overview.

How do I configure a least-privileged account for my service?

Perform the following steps to create a least-privileged account for your service:

1. Create a Windows account.

2. Run the following aspnet_regiis.exe command to assign the relevant ASP.NET permissions to the account:

   aspnet_regiis.exe -ga machineName\userName 
   

3. If your application needs to run in ASP.NET compatibility mode, use the Local Security Policy tool to grant the Windows account the Deny logon locally user right. This reduces the privileges of the account and prevents anyone from logging onto Windows locally with this account. Otherwise, skip this step.

4. Use the least-privileged account to run your WCF service:

   • If your service is hosted in IIS 6.0, use IIS Manager to create an application pool running as an account identity. Use IIS Manager to assign your WCF service to that application pool.
   • If your service is hosted in a Windows service, configure the Windows service to run using the account identity. The WCF service will run under the security context of the Windows service.

Additional Resources

• For more information on the aspnet_regiis tool, see ASP.NET IIS Registration Tool (Aspnet_regiis.exe).