What is WCF Message Security
Message level security encrypts request / response messages using WS-Security specifications. It encloses security credentials and claims
with every message. Each message either signed or encrypted. Message Security provides
end-to-end channel security and is independent of transport protocol. In short mutual
authentication and message security are delivered at the message level.
Advantages of Message Level security in WCF
- Message Security provides multiple levels of security meaning that different parts
(header, body etc) of message can be secured by different encryption methods.
- Message Security is not dependent on WCF protocols. It provides the security regardless
- Message Security provides end-to-end security, in Transport Security where once
the message received at server it is not encrypted whereas in Message Level security
it is still encrypted.
- Message security is the only option to provide security when you have intermediate
routers to route request / response.
Implementation of Message Level Security in WCF
Creation of WCF Service Library
Go through Create a WCF Service and Test using WCFTestClient. It creates basic WCF
Service which has OperationContracts to return Product details from Products.xml.
Host ProductService in IIS
For this article we will use http protocols and host service in IIS. Unlike Transport Security you do not need to make any
changes in IIS for Message Level Security.
Configure WCF Message Level Security
Open NorthwindServices service library which you created in first step and
open its App.config file.
Here we will configure bindingConfiguration element of endpoint. Add <bindings>
section under <system.serviceModel>
Set security mode as Message and clientCredentialType as Windows.
Your <system.serviceModel> configuration should look like
<add baseAddress =
<endpoint address ="" binding="wsHttpBinding"
<endpoint address="mex" binding="mexHttpBinding"
<behavior name="ServiceBehavior" >
<serviceMetadata httpGetEnabled="true" />
<binding name ="wsMessage">
<security mode ="Message">
<message clientCredentialType ="Windows"/>
clientCredentialType can have any value from below available options for Message
- None: Messages are secured with encryption however it does not perform any
- Windows: Messages are secured with encryption and clients are authenticated
using built in Windows Authentication which can be through Active Directory or NTLM.
- UserName: Messages are secured and encrypted and clients are authenticated
by provided UserName and Password.
- Certificate: Messages are encrypted and both service and clients are authenticated
- IssuedToken: Messages are encrypted and authentication happens through issued
tokens by authority like Cardspace.
Create a new console application as client for this WCF service. Add service reference
of ProductService to client application.
Add below client code to console application.
static void Main(string args)
ProductsClient client = new ProductsClient();
string cateName = client.GetCategoryName(1);
Enable WCF Tracing and Message Logging for client application to see how
communication has encrypted. Execute application and open SvcTraceViewer. SvcTraceViewer
is located at C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin. If
you do not have SvcTraceViewer installed click here to download.
Trace and Messages must have generated after execution of client application. Open
it and notice how messages are encrypted.
Download source code.