If the client and server are in the same Windows domain, then yes (using Windows security) no. If you want to avoid using certificates, you must create your own solution, but as soon as you fully understand how encryption and signing are provided and what is conveyed in the certificates, you will find that you are trying to invent a wheel.