We have a WCF service with netTCPBinding hosted in a windows service, this service connects to ContentManager server to upload documents and add some metadata, retrieve the documentID and passes it to a .Net Application, the clients are authenticated using windows authentiation. We wrote a WCF client library to be used as a proxy by other line of business applications which wants to upload documents by just referencing this dll. All this works fine as long as the client apps are within the intranet domain.
Now there is a requirement to use this service by an web app accessed via mobile phones, the mobile application accesses a legacy asmx webservice which references the proxy to connect to the WCF service which in turn talks to another backend wcf service and uploads to content manager, the asmx webservice is hosted in servers outside of current domain in DMZ and there is no trust between the corporate domain and DMZ, we opened the necessary ports on both the servers, but since the client credentialtype is windows, it throws "The remote server did not satisfy the mutual authentication requirement." which is expected. Now we want to use the nettcpbinding for obvious reasons of performance since documents are scanned and sent via mobilephones from remote locations, and also with very little time rewriting this is not an option. In the articles i read and the discussions here most of them suggest against using netTCPBinding for this scenario, and a few tried and implemented this using certficates,
my questions are
- For the scenarios i mentioned above does using Certficates to autheticate clients the right approach?
- How should i handle security, right now declarative impersonation is used on almost all operations, if i have to change security how can i do it without impacting other applications using the service.
I have not worked on certficates before so a guidance with respect to the scenario will also be of great help.