Configure IIS for WCF service with SSL and transport security

This article will help you to configure IIS for WCF service with SSL and achieve WCF Transport security. It uses a WCF service, create a SSL certificate using IIS Server Certificates with WCF service hosted in IIS.

In Windows Communication Foundation Transport security is dependent on the binding and transport being used. It requires an SSL certificate to be registered with IIS. For a production environment, you must obtain the certificate from third party certificate issuer like Verisign. In Transport Security server and clients are configured with X.509 certificates to allow verification of other parties. For development environment you can create Self Signed Certificate

Advantages of Transport Security in WCF Services

  • Improved interoperability as it does not require both parties to understand XML level security.
  • Improvement in overall performance as compare to Message level security.
  • Streaming is possible whereas in Message level security it is not possible.

We can implement an SSL for WCF service in two ways

  • If you are hosting WCF service in IIS you can use IIS infrastructure to set up SSL.
  • If your WCF service is self-hosted you can create SSL certificate using HttpCfg.exe and use it for service binding.

Step by step configuration of IIS for WCF Service with SSL

Create Self Signed SSL certificate

In this step, we will create a self-signed certificate using IIS manager.

Open the IIS manager using inetmgr command. Select <server name > from connection pane which is at the left side of the IIS manager.

Double click on Server Certificates from the middle pane of IIS manager.

From actions (right side) pane of IIS manager click on Self Signed Certificate.

You will get a new window where you have to the certificate name. Give name as NorthwindCertificates.

Create and Host your WCF Service

Create a WCF service.

Endpoint configuration for Transport security

Open the WCF service library application created in the previous step. Open app.config file from NorthwindServices application to make changes for WCF endpoint to allow transport security with SSL.

Add bindingConfiguration which sets attributes for basicHttpBinding and sets its security mode. There are three types of security modes available in WCF Message for message level security, Transport for transport level security and TransportWithMessageCredential for providing security over a transport with encrypted messages or you can set it as None to disable security of WCF service.

Set clientCredentialType as None to specify anonymous authentication which does not perform client authentication. The possible values for clientCredentialType are None, Basic, Digest, Ntlm, Windows.

Change serviceBehaviors for allowing https request by setting httpsGetEnabled="true".

Your Service endpoint will be

      <service name="NorthwindServices.ProductService">
        <endpoint address=""

        <endpoint address="mex"
                  contract="IMetadataExchange" />
        <binding name="secureHttpBinding">
          <security mode="Transport">
            <transport clientCredentialType="None"/>
          <serviceMetadata httpsGetEnabled="true"/>          
          <serviceDebug includeExceptionDetailInFaults="false"/>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

Configure SSL Certificate for WCF Service

Host your WCF service in IIS . In IIS manager right click on the site which you created for hosting and click on Edit Bindings.... From the new window, you should be able to see HTTP binding configured.

Now click on Add button and select https from type dropdown of Add Site Binding window.

From the SSL Certificate drop down select NorthwindCertificate which you created in first step. Click Ok and close Site Bindings window.

IIS Edit bindings for WCF

Publish your WCF service once again to https://localhost/ address.

Publish WCF service for https

Client application for SSL secured WCF service

Create a client application for this SSL secured WCF service and Add Service Reference to https://localhost/ProductServiceHost.svc.

Add below code to the client application which calls WCF service and get Product details for ProductID 1.

namespace NorthwindClient
    class Program
        static void Main(string[] args)
            ProductServiceRef.ProductsClient client
                 = new ProductServiceRef.ProductsClient();
            string category = client.GetCategoryName(1);
            string name = client.GetProductName(1);
            int qty = client.GetProductQty(1);
            Console.WriteLine("Product Name : " + name);
            Console.WriteLine("Product Qty : " + qty.ToString());
            Console.WriteLine("Product Category : " + category);

Execute the client application you might get SecurityNegotiationException with Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost' . To resolve this issue open the app.config file of the client application and replace localhost from endpoint address with your computer name.

Change it to
                https://<your computer name>/ProductServiceHost.svc

Source code on Git hub Source Code on Github

Speak your mind
Please login to post your comment!

  • geeksarray user
    09/26/2016 07:42 PM dasiths

    clientCredentialType can be "Certificate" too.

  • geeksarray user
    09/27/2016 12:26 AM Laxmikant

    yes ... you can use Certificate as well

Blog Search

If you like my content please feel free to buy me coffee. Buy Me A Coffee