Re: web service security w/ mixed mode auth - seeking advice

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 11/28/05 

Date: Mon, 28 Nov 2005 09:33:20 -0800

Hello MR,

have a look at WSE3 - Microsoft's implemenation of WS-Security - or use SSL.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hello,
>
> I'm using the .NET 2.0 platform to created a distributed application
> with a Winforms client application connecting to a web service layer.
> I would like the client to be able to pass username/password auth
> credentials to the web service, which could then be validated against
> a local database OR, optionally, against Windows Active Directory. A
> flag within the user database would determine whether a particular
> user is authed against the DB or AD.
>
> It seems trivial to implement either forms authentication or Windows
> authentication, but not so trivial when you want to allow either to
> work. It seems to me that the only solution is to accept the
> username/password credentials from the user, encrypt them on the
> client, send them to the web service layer, decrypt, then apply them.
>
> The challenge then becomes one of managing the encryption on the
> client/server, and where to store the common encryption key
> information. Dropping this data into a common assembly seems
> dangerous, and I'm struggling to find a better solution.
>
> Am I overlooking a better overall approach?
>
> - MR
>

Relevant Pages

  • Re: Implementing a common SOAP Header across multiple Web Service Pages
    ... to set a client up to reference multiple Web ... the Web Service site would ... Your point about leaving the ASMX page as lean as possible and acting just ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Implementing a common SOAP Header across multiple Web Service Pages
    ... between my Web Service application and the client. ... public string SID; ... Web Service page, rather than to a dozen or so separate Web Service pages ... You can easily create a .ASMX file ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Still Need desperate help to start with ASP NET - simplified problems - HELP!!
    ... You could do it as a web service. ... The handler can draw on the webservice for information and db lookup. ... IE posts data AJAX to handler on web server ... featured application (say thick client) which does a lot of complicate ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: WSE 3.0, SoapReceiver and Kerberos encryption
    ... I have a machine we'll call 'Service' which exposes a web service called ... I have defined a WSE 3.0 policy that sets up Kerberos Security. ... I have a machine we'll call 'Client'. ... format when the "target Web service is created using a SoapReceiver ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: UsernameOverTransportSecurity+SSL Confusion, please help
    ... But when I go to my web service: ... I have under IIS settings for my WebService? ... I will have a private key on the server, and I will give the private key to ... The client will automatically get the public key and negotiate a key to ...
    (microsoft.public.dotnet.framework.webservices.enhancements)