I have two MVC sites that use the same STS for authentication. I need to create a WCF service as part of one of the sites that allows another site to receive data.
These sites can be located on different computers accessible via the Internet (although they are currently located on the same machine), and access to the WCF service should be available only from the client site. The authentication token used to log in to the client site must be passed to the WCF service.
I looked at the various WS-Security options available (Transport, Message, etc.), and it wasn’t completely drowned 100%, and I feel that in the end I will implement what seemed safe, but really wasn’t due to lack of understanding. Any help is greatly appreciated.
Edit:
My first attempt was to secure the transport layer and install a virtual WCF service directory with SSL in IIS. However, this left me with an error:
"The remote certificate is invalid according to the verification procedure."
And I had no way to guarantee that a particular client is connecting to the service, only that the client had a certificate from a trusted CA. At least as far as I know. I probably missed something important here.