System.ServiceModel
    4.0.0.0
  
  
    System.ServiceModel.Channels.BindingElement
  
  
    
      System.ServiceModel.Channels.ITransportTokenAssertionProvider
    
    
      System.ServiceModel.Description.IPolicyExportExtension
    
  
  
    
      
      Transports that use a stream-oriented protocol such as TCP and named pipes support stream-based transport upgrades. Specifically, indigo1 provides security upgrades. The configuration of this transport security is encapsulated by this class as well as by , which can be configured and added to a custom binding. In addition, a third party can write their own custom StreamSecurityBindingElement. These binding elements extend the  class that is called to build the client and server stream upgrade providers.
      A custom binding contains a collection of binding elements arranged in a specific order: the element that represents the top of the binding stack is added first, the next element down in the binding stack is added second, and so on.
      
        
          To add this class to a binding
        
        
          
            Create a .
          
          
            Create custom binding elements that are above this binding element in the binding stack, such as the optional  and .
          
          
            Add the created elements in the order described previously to the  using the  method.
          
          
            Create an instance of  and add it to the collection.
          
          
            Add any additional custom binding elements to the collection, such as .
          
        
      
      There are three scenarios in which you must either manually specify the correct UPN/SPN on the client endpoint after importing the WSDL, or specify a custom  on the client’s .
      
        - 
          No service identity is published in WSDL.  and HTTPS are used (for example, a  with SecurityMode = ). If the service is not running with the machine identity, you must manually specify the correct UPN/SPN on the client endpoint after importing the WSDL.
        
- 
          DNSservice identity is published in WSDL.  and  are used (for example,  with SecurityMode = ) instead of a UPN/SPN. If the service is not running with the machine identity, or the DNS identity is not the machine's identity, you must manually specify the correct UPN/SPN on the client endpoint after importing the WSDL.
        
- 
           DNS identity is published in WSDL. If  is overridden on the client, you must specify a custom  on the client's .
        
The following code shows how to manually specify the correct UPN/SPN on the client endpoint, as well as how to specify a custom  on the client's .
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;
using System.Security.Cryptography.X509Certificates;
using System.ServiceModel;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;
using System.ServiceModel.Security;
using System.Xml;
namespace ServiceNamespace
{
    [ServiceContract]
    interface IService
    {
        [OperationContract]
        void DoSomething();
    }
    class DnsIdentityVerifier : IdentityVerifier
    {
        DnsEndpointIdentity _expectedIdentity;
        public DnsIdentityVerifier(EndpointAddress serviceEndpoint)
        {
            _expectedIdentity = new DnsEndpointIdentity(serviceEndpoint.Uri.DnsSafeHost);
        }
        public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)
        {
            Claim dnsClaim = authContext.Claims().Single(claim => claim.ClaimType == ClaimTypes.Dns);
            return String.Equals(_expectedIdentity.IdentityClaim.Resource, dnsClaim.Resource);
        }
        public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity)
        {
            identity = _expectedIdentity;
            return true;
        }
    }
    static class LinqExtensionForClaims
    {
        public static IEnumerable<Claim> Claims(this AuthorizationContext authContext)
        {
            if (null != authContext.ClaimSets)
            {
                foreach (ClaimSet claimSet in authContext.ClaimSets)
                {
                    if (null != claimSet)
                    {
                        foreach (Claim claim in claimSet)
                        {
                            yield return claim;
                        }
                    }
                }
            }
        }
    }
    class Service : IService
    {
        public void DoSomething()
        {
            Console.WriteLine("Service called.");
        }
    }
    class Program
    {
        static void Main(string[] args)
        {
            string hostname = Dns.GetHostEntry(String.Empty).HostName;
            NetTcpBinding serviceBinding = new NetTcpBinding(SecurityMode.TransportWithMessageCredential);
            ServiceHost serviceHost = new ServiceHost(typeof(Service), new Uri(String.Format("net.tcp://{0}:8080/Service", hostname)));
            serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "8a 42 1b eb cf 8a 14 b1 de 83 d9 a5 70 88 0a 62 f9 bf 69 06");
            ServiceEndpoint serviceEndpoint = serviceHost.AddServiceEndpoint(typeof(IService), serviceBinding, "Endpoint");
            serviceHost.Open();
            CustomBinding clientBinding = new CustomBinding(serviceBinding.CreateBindingElements());
            SslStreamSecurityBindingElement sslStream = clientBinding.Elements.Find<SslStreamSecurityBindingElement>();
            sslStream.IdentityVerifier = new DnsIdentityVerifier(serviceEndpoint.Address);
            ChannelFactory<IService> channelFactory = new ChannelFactory<IService>(clientBinding, new EndpointAddress(serviceEndpoint.Address.Uri, UpnEndpointIdentity.CreateUpnIdentity("username@domain")));
            channelFactory.Credentials.Windows.AllowNtlm = false;
            IService channel = channelFactory.CreateChannel();
            channel.DoSomething();
        }
    }
    
    
      
      Represents a custom binding element that supports channel security using an SSL stream.
    
  
  
    
      
      
      Constructor
      
        4.0.0.0
      
      
      
        To be added.
        
          
          Initializes a new instance of the  class. 
        
      
    
    
      
      
      Method
      
        4.0.0.0
      
      
        System.ServiceModel.Channels.IChannelFactory<TChannel>
      
      
        
      
      
        
      
      
        
          
          This method creates a channel factory, which is used to create a channel that processes outgoing messages for this binding.
        
        
          
          Creates a channel factory of a specified type.
        
        
          
          An  object that represents the channel factory of type .
        
        
          The .
        
          Type of channel factory.
      
    
    
      
      
      Method
      
        4.0.0.0
      
      
        System.ServiceModel.Channels.IChannelListener<TChannel>
      
      
        
          
            ReferenceTypeConstraint
            System.ServiceModel.Channels.IChannel
          
        
      
      
        
      
      
        
          
          This method creates a channel listener, which is used to create a channel that processes incoming messages for this binding.
        
        
          
          Creates a channel listener of a specified type.
        
        
          
          An  object that represents a channel listener of type .
        
        
          The .
        
          Type of channel listener.
      
    
    
      
      
      Method
      
        4.0.0.0
      
      
        System.ServiceModel.Channels.StreamUpgradeProvider
      
      
        
      
      
        
          
          This method is called when opening the client channel factory and provides a custom implementation of the  abstract class.
          The  parameter enables reacting to other elements in the channel stack.
        
        
          
          Creates an instance on the client of the  based on the channel context provided.
        
        
          
          An instance of the . 
        
        
          The  for the entire channel stack.
      
    
    
      
      
      Method
      
        4.0.0.0
      
      
        System.ServiceModel.Channels.StreamUpgradeProvider
      
      
        
      
      
        
          
          This method is called when opening the service and provides a custom implementation of the  abstract class.
          The  parameter enables reacting to other elements in the channel stack.
        
        
          
          Creates an instance on the server of the  based on the channel context provided.
        
        
          
          An instance of the .
        
        
          The  for the entire channel stack.
      
    
    
      
      
      Method
      
        4.0.0.0
      
      
        System.Boolean
      
      
        
      
      
        
      
      
        
          
          You should call this method before trying to create a channel factory.
        
        
          
          Gets a value that indicates whether a channel factory of the specified type can be built.
        
        
          
          true if a channel factory of the specified type can be built; otherwise, false.
        
        
          The .
        
          Type of channel factory.
      
    
    
      
      
      Method
      
        4.0.0.0
      
      
        System.Boolean
      
      
        
          
            ReferenceTypeConstraint
            System.ServiceModel.Channels.IChannel
          
        
      
      
        
      
      
        
          
          You should call this method before trying to create a channel listener.
        
        
          
          Gets a value that indicates whether a channel listener of the specified type can be built.
        
        
          
          true if a channel listener of the specified type can be built; otherwise, false.
        
        
          The .
        
          Type of channel listener.
      
    
    
      
      
      Method
      
        4.0.0.0
      
      
        System.ServiceModel.Channels.BindingElement
      
      
      
        To be added.
        
          
          Creates a new instance that is a copy of the current instance.
        
        
          
          A  instance that is a copy of the current instance.
        
      
    
    
      
      
      Method
      
        4.0.0.0
      
      
        T
      
      
        
          
            ReferenceTypeConstraint
          
        
      
      
        
      
      
        
          
          This method gets the specified object from the base class or from one of that class's ancestors. The object returned is usually a collection of properties, for example, an object that implements .
        
        
          
          Gets a specified object from the .
        
        
          
          The  object of type from the , or null if the object is not found.
        
        
          A .
        
          The type of the object to get.
      
    
    
      
      
      Method
      
        4.0.0.0
      
      
        System.Xml.XmlElement
      
      
      
        
          
          This method is used to generate WSDL for the associated service.
        
        
          
          Gets the  that represents the transport token used in the security binding.
        
        
          
          An  that represents the transport token used in the security binding.
        
      
    
    
      
      
      Property
      
        4.0.0.0
      
      
        System.ServiceModel.Security.IdentityVerifier
      
      
        To be added.
        To be added.
        
          
          Gets or sets the identity verifier for this binding. 
        
      
    
    
      
      
      Property
      
        4.0.0.0
      
      
        System.Boolean
      
      
        To be added.
        To be added.
        
          
          Gets or sets a value that specifies whether a client certificate is required for this binding.
        
      
    
    
      
      
      Method
      
        4.0.0.0
      
      
        System.Void
      
      
        
        
      
      
        
          
          This method writes binding-related statements into the WSDL information exposed by a particular contract and is used by indigo2 to communicate to clients the existence of this custom binding element in the binding stack.
          This method takes two parameters: the  and  objects. Use the , , and  methods to obtain collections of policy assertions that have already been exported at various scopes. Then use this method to add your own policy assertions to the appropriate collection.
          The  property exposes the  for the endpoint that is being exported. This enables this method to correctly scope their exported policy assertions. For example, security attributes in code can add behaviors to the  that indicate where security policy assertions should be added.
          Once custom policy assertions are attached to the WSDL information, clients can detect and import the custom binding assertions by implementing an  interface.
        
        
          
          Exports a custom policy assertion about bindings.
        
        
          The  that you can use to modify the exporting process.
        
          The  that you can use to insert your custom policy assertion.