What are the security implications of establishSecurityContext="False" and negotiateServiceCredential="False"

Question

We've set establishSecurityContext="False" and negotiateServiceCredential="False" on a wsHttpBinding. In a setup where every single web service call involves connecting and disconnecting, this reduces the number of requests per web service call from 5 to 1, providing a significant performance improvement.

The client has been configured to know the server identity via the identity node:

<endpoint address="..." behaviorConfiguration="..." binding="wsHttpBinding" bindingConfiguration="..." contract="..." name="...">
  <identity>
    <certificate encodedValue="..." />
  </identity>
</endpoint>

What are the security implications of these settings? Do they reduce security in any way?

Answer 1

NegotiateServiceCredential, true if service credential is obtained through a process of negotiation; otherwise, false. The default is true.
https://learn.microsoft.com/en-us/dotnet/api/system.servicemodel.messagesecurityoverhttp.negotiateservicecredential?redirectedfrom=MSDN&view=netframework-4.7.2#System_ServiceModel_MessageSecurityOverHttp_NegotiateServiceCredential
EstablishSecurityContext. True: If a secure conversation is established using SecurityContextToken. otherwise, false, the default is false.
https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-2.0/aa715023(v=msdn.10)

Answer 2

The scenario described doesn't actually change the security of a connection established between the client and the server. It merely changes how the security is specified and how the credential is specified.

establishSecurityContext is a higher-level mechanism that facilitates specifying a security context using a token, rather than specifying the lower-level details directly.

negotiateServiceCredential specifies whether the credential to be used may be negotiated as opposed to specified explicitly.

The overall framework documentation for this is here.

In a setting where a client makes and disposes connections for every call and where it is known that client and server can meet the specified requirements (i.e., there is no need for negotiation), the settings described by the OP are a reasonable way to reduce the overhead to establish a connection without changing the security policies that actually get applied to the connections.