我已经创建WCF和我已经使用的wsHttpBinding和MTOM与authentcation为Windows消息传输。

I have created WCF and I have used wsHttpBinding and MTOM as message transport with authentcation as "Windows".

现在我的服务是不是最新的SECURE，其纯HTTP，自定义端口上运行。

Now my service is not current SECURE, its plain HTTP, running on custom port.

是WCF的的wsHttpBinding的Windows身份验证安全？任何人都可以看到密码或者想通过网络跟踪？

Is Windows Authentication of WCF's wsHttpBinding secure? can anyone see the password or guess through network trace?

环境信息：

在托管网络 在没有活动目录，其单台服务器 从我的办公室连接与服务器的管理员用户名和密码 在客户端，密码没有在配置文件中提到的，在进入运行。它工作正常becausing输入错误的凭据返回某种安全异常的为好。 在自定义端口89上运行.NET 4.0，在我的定义Windows服务的app.config目前我已经设置以下配置中，我主持我的WCF内安装为本地服务定义Windows服务。我已经启用了模拟每个方法。

下面是在app.config

Here is the app.config

  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="metaAndErrors">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
          <serviceAuthorization impersonateCallerForAllOperations="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service name="CustomServiceHost.CustomService"
               behaviorConfiguration="metaAndErrors"
               >
            <endpoint address="" binding="wsHttpBinding"
                  bindingConfiguration="wsHttpLargeBinding"
                  contract="CustomServiceHost.ICustomService"/>
        <endpoint address="mex" binding="mexHttpBinding"
                  contract="IMetadataExchange" />
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost:89/CustomService" />
          </baseAddresses>
        </host>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding
          name="wsHttpLargeBinding" messageEncoding="Mtom"
          maxReceivedMessageSize="2147483647">
          <readerQuotas maxArrayLength="512000"/>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>

以下是客户端的配置在运行时完成，

Following is client configuration done at runtime,

        WSHttpBinding binding = new WSHttpBinding();

        binding.Security.Message.ClientCredentialType 
            = MessageCredentialType.Windows;
        binding.Security.Mode = SecurityMode.Message;

        binding.MessageEncoding = WSMessageEncoding.Mtom;

        binding.ReaderQuotas.MaxArrayLength = 512000;

        CustomServiceClient cc = new CustomServiceClient(
            binding,
            new EndpointAddress(string.Format(
                "http://{0}:89/CustomService", 
                host.ServerHost))
            );

        cc.ClientCredentials.Windows.AllowedImpersonationLevel 
            = System.Security.Principal.TokenImpersonationLevel.Impersonation; 
        cc.ClientCredentials.Windows.ClientCredential 
            = new NetworkCredential(host.Username, host.Password);

感谢您， - 阿卡什

Thank you, - Akash

推荐答案

关于您的问题约密码：Windows身份验证或者以明文形式使用Kerberos或NTLM既不协议转让的密码

Regarding your question about the passwords: Windows Authentication either uses Kerberos or NTLM and neither protocol transfers passwords in clear text.

此信息写在这里： http://msdn.microsoft.com/en-us/library/ff647076.aspx

您应该使用集成Windows身份验证，而不是基本的身份验证，因为它避免了在网络上传输用户凭据。

You should use Integrated Windows authentication instead of basic authentication because it avoids transmitting user credentials over the network.

这意味着你不需要SSL来保护你的密码，但如果你有敏感（在服务呼叫）等信息，那么你应该考虑使用加密（例如SSL）。我没有尝试，但它应该让你开始：

This means you do not need SSL to protect your passwords, but if you have other information that is sensitive (in your service calls) then you should consider to use encryption (e.g. SSL). I did not try this, but it should get you started:

HTTP：//www.$c$cproject.com/KB/ WCF / WCFSSL.aspx

另一种选择是将邮件（邮件安全性，而不是传输安全）加密。这是应该让你开始另一个链接：

Another option would be to encrypt the messages (message security instead of transport security). Here is another link that should get you started:

http://msdn.microsoft.com/en-us/library/ ms733137.aspx