How to create this WsHttpBinding in Net6 with equivalent security level?

[EnidaK]

I currently have this WsHttpBinding in .NetFramework 4.8 and I am looking for some viable equivalent option in Net6 :

<binding name="name" openTimeout="00:1:00" closeTimeout="00:1:00" receiveTimeout="02:00:00" 
                sendTimeout="02:00:00" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" 
                messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="false" allowCookies="false">
	<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" 
                   maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
	<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
	<security mode="TransportWithMessageCredential">
		<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
		<message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" 
                          establishSecurityContext="true" />
	</security>
</binding>

Tried unsuccessfully using custom binding with TextMessageEncodingBindingElement and HttpsTransportBindingElement:

CustomBinding customBinding = new CustomBinding();
binding = customBinding;
TextMessageEncodingBindingElement textBindingElement = new TextMessageEncodingBindingElement();
textBindingElement.ReaderQuotas = XmlDictionaryReaderQuotas.Max;
customBinding.Elements.Add(textBindingElement);
HttpsTransportBindingElement httpsBindingElement = new HttpsTransportBindingElement
{
        MaxBufferPoolSize = int.MaxValue,
        AllowCookies = false,
        MaxBufferSize = int.MaxValue,
        MaxReceivedMessageSize = int.MaxValue,
        UseDefaultWebProxy = false,
        ProxyAuthenticationScheme = System.Net.AuthenticationSchemes.Negotiate,
        AuthenticationScheme = System.Net.AuthenticationSchemes.Negotiate
};
customBinding.Name = "httpsCustomBinding";
customBinding.OpenTimeout = new TimeSpan(0, 1, 0);
customBinding.CloseTimeout = new TimeSpan(0, 1, 0);
customBinding.ReceiveTimeout = new TimeSpan(2, 0, 0);
customBinding.SendTimeout = new TimeSpan(2, 0, 0);
customBinding.Elements.Add(httpsBindingElement);

@mconnew Any suggestions on an equivalent workaround to make this to work in .Net6 without degrading message or transport level security? Any help is greatly appreciated. Thank you!

[HongGit]

@EnidaK thanks for raising this!

We will look into this in upcoming releases.

[mconnew]

I took a closer look and we don't support everything that you are using. We don't yet have support for Windows authentication for TransportWithMessageCredentials. You are double authenticating your request though. When talking about security, there are 3 legs to it.

• Message secrecy and integrity - can an observer see your request or modify it undetected
• Authentication - proving your identity (with optional additional claims)
• Authorization - determining whether the authenticated identity is permitted to make the call

Transport/Message security only deal with the first 2. With TransportWithMessageCredentials, it's only Transport security that provides message secrecy and integrity, and it does this by using HTTPS. This encrypts the communication and TLS/SSL has a hash verification mechanism to detect tampering. This just leaves authentication. You are doing Windows authentication over HTTP headers as well as via SOAP Security headers. This is completely redundant and unnecessary. You could drop to Transport security and still have the same level of security overall as you currently have.

If you have to double authenticate, then hopefully we will add Windows authentication for TransportWithMessageCredentials in the .NET 7 timeframe as we now have a cross platform way to do so.