My customers requirement was to find a way of performing mutual authentication with ISA 2006 using WCF 3.5 and client certificates. I achieved this easily enough using a security mode of transport and defining a client certificate in the endpointbehavior.
I had to jump through some hoops on the ISA as well.
The customer also has a requirement for message security at the service which is behind the ISA server.
I therefore need my service to only require message security but for the client to navigate both transport (for ISA) and message (for the service) security.
After a little reading I am not sure this is possible using out of the box bindings, particularly wsHttpBinding.
Could someone confirm this?
Additionally, I have read that IF both transport and message security are defined using certificates, that it must be the same certificate.
My question here would be, what bindings are there that allow both transport and message security and why must the same certificate be used for both?
Many thanks for any help you can give.
View Complete Post