System.ServiceModel 4.0.0.0 System.ServiceModel.Channels.BindingElement System.ServiceModel.Channels.ITransportTokenAssertionProvider System.ServiceModel.Description.IPolicyExportExtension Transports that use a stream-oriented protocol such as TCP and named pipes support stream-based transport upgrades. Specifically, indigo1 provides security upgrades. The configuration of this transport security is encapsulated by this class as well as by , which can be configured and added to a custom binding. In addition, a third party can write their own custom StreamSecurityBindingElement. These binding elements extend the class that is called to build the client and server stream upgrade providers. A custom binding contains a collection of binding elements arranged in a specific order: the element that represents the top of the binding stack is added first, the next element down in the binding stack is added second, and so on.

To add this class to a binding

 Create a . Create custom binding elements that are above this binding element in the binding stack, such as the optional and . Add the created elements in the order described previously to the using the method. Create an instance of and add it to the collection. Add any additional custom binding elements to the collection, such as . There are three scenarios in which you must either manually specify the correct UPN/SPN on the client endpoint after importing the WSDL, or specify a custom on the client’s . No service identity is published in WSDL. and HTTPS are used (for example, a with SecurityMode = ). If the service is not running with the machine identity, you must manually specify the correct UPN/SPN on the client endpoint after importing the WSDL. DNSservice identity is published in WSDL. and are used (for example, with SecurityMode = ) instead of a UPN/SPN. If the service is not running with the machine identity, or the DNS identity is not the machine's identity, you must manually specify the correct UPN/SPN on the client endpoint after importing the WSDL. DNS identity is published in WSDL. If is overridden on the client, you must specify a custom on the client's . The following code shows how to manually specify the correct UPN/SPN on the client endpoint, as well as how to specify a custom on the client's . using System; using System.Collections.Generic; using System.Linq; using System.Net; using System.IdentityModel.Claims; using System.IdentityModel.Policy; using System.Security.Cryptography.X509Certificates; using System.ServiceModel; using System.ServiceModel.Channels; using System.ServiceModel.Description; using System.ServiceModel.Security; using System.Xml; namespace ServiceNamespace { [ServiceContract] interface IService { [OperationContract] void DoSomething(); } class DnsIdentityVerifier : IdentityVerifier { DnsEndpointIdentity _expectedIdentity; public DnsIdentityVerifier(EndpointAddress serviceEndpoint) { _expectedIdentity = new DnsEndpointIdentity(serviceEndpoint.Uri.DnsSafeHost); } public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext) { Claim dnsClaim = authContext.Claims().Single(claim => claim.ClaimType == ClaimTypes.Dns); return String.Equals(_expectedIdentity.IdentityClaim.Resource, dnsClaim.Resource); } public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity) { identity = _expectedIdentity; return true; } } static class LinqExtensionForClaims { public static IEnumerable<Claim> Claims(this AuthorizationContext authContext) { if (null != authContext.ClaimSets) { foreach (ClaimSet claimSet in authContext.ClaimSets) { if (null != claimSet) { foreach (Claim claim in claimSet) { yield return claim; } } } } } } class Service : IService { public void DoSomething() { Console.WriteLine("Service called."); } } class Program { static void Main(string[] args) { string hostname = Dns.GetHostEntry(String.Empty).HostName; NetTcpBinding serviceBinding = new NetTcpBinding(SecurityMode.TransportWithMessageCredential); ServiceHost serviceHost = new ServiceHost(typeof(Service), new Uri(String.Format("net.tcp://{0}:8080/Service", hostname))); serviceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "8a 42 1b eb cf 8a 14 b1 de 83 d9 a5 70 88 0a 62 f9 bf 69 06"); ServiceEndpoint serviceEndpoint = serviceHost.AddServiceEndpoint(typeof(IService), serviceBinding, "Endpoint"); serviceHost.Open(); CustomBinding clientBinding = new CustomBinding(serviceBinding.CreateBindingElements()); SslStreamSecurityBindingElement sslStream = clientBinding.Elements.Find<SslStreamSecurityBindingElement>(); sslStream.IdentityVerifier = new DnsIdentityVerifier(serviceEndpoint.Address); ChannelFactory<IService> channelFactory = new ChannelFactory<IService>(clientBinding, new EndpointAddress(serviceEndpoint.Address.Uri, UpnEndpointIdentity.CreateUpnIdentity("username@domain"))); channelFactory.Credentials.Windows.AllowNtlm = false; IService channel = channelFactory.CreateChannel(); channel.DoSomething(); } } Represents a custom binding element that supports channel security using an SSL stream. Constructor 4.0.0.0 To be added. Initializes a new instance of the class. Method 4.0.0.0 System.ServiceModel.Channels.IChannelFactory<TChannel> This method creates a channel factory, which is used to create a channel that processes outgoing messages for this binding. Creates a channel factory of a specified type. An object that represents the channel factory of type . The . Type of channel factory. Method 4.0.0.0 System.ServiceModel.Channels.IChannelListener<TChannel> ReferenceTypeConstraint System.ServiceModel.Channels.IChannel This method creates a channel listener, which is used to create a channel that processes incoming messages for this binding. Creates a channel listener of a specified type. An object that represents a channel listener of type . The . Type of channel listener. Method 4.0.0.0 System.ServiceModel.Channels.StreamUpgradeProvider This method is called when opening the client channel factory and provides a custom implementation of the abstract class. The parameter enables reacting to other elements in the channel stack. Creates an instance on the client of the based on the channel context provided. An instance of the . The for the entire channel stack. Method 4.0.0.0 System.ServiceModel.Channels.StreamUpgradeProvider This method is called when opening the service and provides a custom implementation of the abstract class. The parameter enables reacting to other elements in the channel stack. Creates an instance on the server of the based on the channel context provided. An instance of the . The for the entire channel stack. Method 4.0.0.0 System.Boolean You should call this method before trying to create a channel factory. Gets a value that indicates whether a channel factory of the specified type can be built. true if a channel factory of the specified type can be built; otherwise, false. The . Type of channel factory. Method 4.0.0.0 System.Boolean ReferenceTypeConstraint System.ServiceModel.Channels.IChannel You should call this method before trying to create a channel listener. Gets a value that indicates whether a channel listener of the specified type can be built. true if a channel listener of the specified type can be built; otherwise, false. The . Type of channel listener. Method 4.0.0.0 System.ServiceModel.Channels.BindingElement To be added. Creates a new instance that is a copy of the current instance. A instance that is a copy of the current instance. Method 4.0.0.0 T ReferenceTypeConstraint This method gets the specified object from the base class or from one of that class's ancestors. The object returned is usually a collection of properties, for example, an object that implements . Gets a specified object from the . The object of type from the , or null if the object is not found. A . The type of the object to get. Method 4.0.0.0 System.Xml.XmlElement This method is used to generate WSDL for the associated service. Gets the that represents the transport token used in the security binding. An that represents the transport token used in the security binding. Property 4.0.0.0 System.ServiceModel.Security.IdentityVerifier To be added. To be added. Gets or sets the identity verifier for this binding. Property 4.0.0.0 System.Boolean To be added. To be added. Gets or sets a value that specifies whether a client certificate is required for this binding. Method 4.0.0.0 System.Void This method writes binding-related statements into the WSDL information exposed by a particular contract and is used by indigo2 to communicate to clients the existence of this custom binding element in the binding stack. This method takes two parameters: the and objects. Use the , , and methods to obtain collections of policy assertions that have already been exported at various scopes. Then use this method to add your own policy assertions to the appropriate collection. The property exposes the for the endpoint that is being exported. This enables this method to correctly scope their exported policy assertions. For example, security attributes in code can add behaviors to the that indicate where security policy assertions should be added. Once custom policy assertions are attached to the WSDL information, clients can detect and import the custom binding assertions by implementing an interface. Exports a custom policy assertion about bindings. The that you can use to modify the exporting process. The that you can use to insert your custom policy assertion.