This project is read-only.


- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

This guide shows you how to improve security for your WCF services. It also shows you how to effectively design your authentication, authorization, and communication strategies for WCF.

The information in this guide is based on practices learned from customer feedback and product support, as well as experience from the field and in the trenches. The guidance is task-based and presented in the following parts.
  • Part I - Security Fundamentals for Web Services gives you a quick overview of fundamental security concepts as they relate to services, service-oriented design, and Service-Oriented Architecture (SOA.)
  • Part II - WCF Security Fundamentals gives you a firm foundation in key WCF security concepts, with special attention on authentication, authorization, and secure communication, as well as WCF binding configurations.
  • Part III - Intranet Application Scenarios shows you a set of end-to-end Intranet application scenarios that you can use to jumpstart your application architecture designs with a focus on authentication, authorization, and communication from a WCF perspective for your intranet.
  • Part IV - Internet Application Scenarios shows a set of end-to-end Internet application scenarios that you can use to jumpstart your application architecture design for the Internet.

WCF / Services Security

There are many decisions that combine to improve security in WCF services and applications. This guide focuses on:
  • Authentication, authorization, and communication design for your services
  • Solution patterns for common distributed application scenarios using WCF
  • Principles, patterns, and practices for improving key security aspects in services

The following diagram illustrates a common solution pattern for WCF intranet scenarios:


Scope of This Guide

This guide is focused on key security aspects of WCF. The guide addresses security across the three physical tiers. It covers the client, remote application server, and database server. Clients include Windows Forms, ASP.NET, and WCF.

Out of Scope

The following are out of scope for this guide:
  • Federation
  • Claims authorization

Why We Wrote This Guide

From our own experience with WCF and through conversations with customers and Microsoft employees who work in the field, we determined there was demand for a guide that would show how to use WCF in the real world. While there is information in the product documentation, in blog posts and in forums, there has been no single place to find proven practices for the effective use of WCF in the context of line of business applications under real world constraints.

Who Should Read This Guide

This guide is targeted at providing individuals involved in building applications with WCF. The following are examples of roles that would benefit from this guidance:
  • A development team that wants to adopt WCF.
  • A software architect or developer looking to get the most out of WCF, with regard to designing their application security.
  • Interested parties investigating the use of WCF but don’t know how well it would work for their deployment scenarios and constraints.
  • Individuals tasked with learning WCF security.

How To Use This Guide

Use the first part of the guide to gain a firm foundation in key security concepts and WCF. Next, use the application scenarios to evaluate potential designs for your scenario. The application scenarios are skeletal end-to-end examples of how you might design your authentication, authorization and communication from a security perspective. Use the appendix of “Guidelines”, “Practices”, “How To” articles and “Questions and Answers” to dive into implementation details. This separation allows you to understand the topics first and then explore the details as you see fit.

Organization of This Guide

You can read this guide from end to end, or you can read the chapters you need for your job.


This guide is divided into four parts:
Part I, "Security Fundamentals for Web Services"
Part II, "Fundamentals of WCF Security"
Part III, "Intranet Application Scenarios"
Part IV, "Internet Application Scenarios"



Part I, Security Fundamentals for Web Services

Part II, Fundamentals of WCF Security

Part III - Intranet Application Scenarios

Part IV - Internet Application Scenarios




Questions and Answers

How Tos


Feedback and Support

We have made every effort to ensure the accuracy of this guide and its companion content.

Feedback on the Guide

If you have comments on this guide, send e-mail to .

We are particularly interested in feedback regarding the following:
  • Technical issues specific to recommendations
  • Usefulness and usability issues

Technical Support

Technical support for the Microsoft products and technologies referenced in this guide is provided by Microsoft Product Support Services (PSS). For product support information, please visit the Microsoft Product Support Web site at .

Community Support

MSDN Newsgroups:

Forum Address
Windows Communication Foundation ("Indigo")
Architecture General

The Team Who Brought You This Guide

This guide was created by the following team members:
  • J.D. Meier
  • Carlos Farre
  • Jason Taylor
  • Prashant Bansode
  • Steve Gregersen
  • Madhu Sundararajan
  • Rob Boucher

Contributors and Reviewers

  • External Contributors / Reviewers: Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Bustamante; Parameswaran Vaideeswaran; Rockford Lotka; Rudolph Araujo; Santosh Bejugam
  • Microsoft Contributors / Reviewers: Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

Tell Us About Your Success

If this guide helps you, we would like to know. Tell us by writing a short summary of the problems you faced and how this guide helped you out. Submit your summary to: .

Last edited Jun 12, 2008 at 7:32 PM by prashantbansode, version 3


No comments yet.