Best practice 3-tier WCF authentication

Best practice 3-tier WCF authentication

Old forum URL:

GlennMiller posted on Thursday, September 15, 2011

We are developing an ASP.NET MVC 3 application using CSLA in 3-tier remoting mode using WCF communication between the external facing hosted app computer and behind the firewall app server computer.

What is the recommended best practice to secure the communication between the tiers? I’ve read older documentation (including Rocky’s CSLA 2008 book) that recommends certificate authentication using Chain Trust. Is that still best practice? If you do certificate authentication, is creating a custom UserNamePasswordValidator necessary or recommended for added security?

Any thoughts or example articles on securing 3-tiers would be greatly appreciated.



RockfordLhotka replied on Friday, September 16, 2011

The general recommendation is to use SSL. That is secure, and is the easiest thing to get working.

Surely you'd use that between the browser and your web server.

Between the web server and the app server most people don't use an encrypted transfer. But if you need to (due to HIPPA or something) then SSL is still the easiest answer. Otherwise between your servers you can use x.509 certificates.

See the WCF security guidance book on CodePlex for information about these and other options.

Copyright (c) Marimer LLC