Hi all,
I have a .Net framework 4.0 WCF Service and a Windows Application, also .Net framework 4.0.
The WCF service is per call, and it is exposed with wsHttpBinding, usingTransportWithMessageCredential. It is required that credentials are passed so the caller can be identified, in order to ensure context of the user that is actually performing the action on the WCF side, and that transport security is present (https).
So, the binding looks like this on the WCF side:
<system.serviceModel><services><service name="MyService"><endpoint binding="wsHttpBinding" contract="Contracts.IMyService" address="/wsHttp" bindingConfiguration="wsHttpBindingConfigCredential" /><endpoint address="mex" binding="mexHttpBinding" name="mexHttpBinding" contract="IMetadataExchange" /></service></services><behaviors><serviceBehaviors><behavior name=""><federatedServiceHostConfiguration /><serviceMetadata httpGetEnabled="true" /><serviceDebug includeExceptionDetailInFaults="false" /></behavior></serviceBehaviors></behaviors><serviceHostingEnvironment multipleSiteBindingsEnabled="true" /><bindings><wsHttpBinding><binding maxBufferPoolSize="52428800" maxReceivedMessageSize="52428800" name="wsHttpBindingConfigCredential"><readerQuotas maxDepth="32" maxStringContentLength="2097152" maxArrayLength="2097152" maxBytesPerRead="8192" maxNameTableCharCount="16384"/><security mode="TransportWithMessageCredential"><transport clientCredentialType="Windows" proxyCredentialType="None"/><message clientCredentialType="Windows" establishSecurityContext="true" negotiateServiceCredential="false"/></security></binding></bindings></system.serviceModel>
The binding is declared the same way on the client, plus, for each call that the client does, windows credentials are filled. Client proxy is always properly closed/aborted at the end of each operation.
The WCF service is installed on a server (Windows Server 2008 R2) on a domain, and the client application runs on another domain. They have (as they should) trust relation but they are actually different domains.
So we found out a strange behavior that I would like to have opinions about.
If we run the client application inside the same domain as the WCF service, it is pretty fast. But if we run the client application on a different domain then all calls are very, very slow.
After a few attempts changing settings, we found out the following configuration as a replacement of the above one as a good compromise by answering our requirements, which means credentials are properly sent by client and received by service, we still have https and the client application performs very fast:
<system.serviceModel><services><service name="MyService"><endpoint binding="wsHttpBinding" contract="Contracts.IMyService" address="/wsHttp" bindingConfiguration="wsHttpBindingConfigCredential" /><endpoint address="mex" binding="mexHttpBinding" name="mexHttpBinding" contract="IMetadataExchange" /></service></services><behaviors><serviceBehaviors><behavior name=""><federatedServiceHostConfiguration /><serviceMetadata httpGetEnabled="true" /><serviceDebug includeExceptionDetailInFaults="false" /></behavior></serviceBehaviors></behaviors><serviceHostingEnvironment multipleSiteBindingsEnabled="true" /><bindings><wsHttpBinding><binding maxBufferPoolSize="52428800" maxReceivedMessageSize="52428800" name="wsHttpBindingConfigCredential"><readerQuotas maxDepth="32" maxStringContentLength="2097152" maxArrayLength="2097152" maxBytesPerRead="8192" maxNameTableCharCount="16384"/><security mode="Transport"><transport clientCredentialType="Windows" proxyCredentialType="None"/><message clientCredentialType="None" establishSecurityContext="true" negotiateServiceCredential="false"/></security></binding></bindings></system.serviceModel>
So we just basically switched from TransportWithMessageCredential to Transport, and placed None at message clientCredentialType (since we only are using Transport as security mode). As it should be, we performed this change both on WCF service and on the client.
My understanding about this is that as it was, credentials were being used both for transport and for message, which gives an extra layer of security specially on the message.
But, removing this layer only on the message, things keep working. Notice that this client application is meant to be used inside the company's networks.
My question here is, should the message security interfer or cause such a difference on the overall performance? I mean, the difference is huge!
Should we be looking at any other stuff about these settings or about systems itself?
Thank you!