Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle

SSL, thus message level security adds unnecessary overhead. Is there
a good way to do mutual authentication at first connection to the web
service so there is no signficant overhead for message based security?

thats _exactly_ what SSL is doing.

for client certificate authentication, simply require SSL client certificates in IIS (directory security tab).

Finally, if I do need a client certificate to do the mutual
authentication; how do I generate a client certificate? Can I

You can use a public CA or Windows Certificate Services or makercert.exe



---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

Dominick said I don't need message level security since I am using
SSL, thus message level security adds unnecessary overhead. Is there
a good way to do mutual authentication at first connection to the web
service so there is no signficant overhead for message based security?
Is there any "how to" or examples on how to implement mutual
authentication, ideally, without requiring message based security?
Finally, if I do need a client certificate to do the mutual
authentication; how do I generate a client certificate? Can I
generate a client certificate from a server SSL certificate (which my
server has) OR do I need another type of certificate on my server.

I know there are several questions here, but please answer each one.

"Steven Cheng[MSFT]" wrote:

Hello John,

If you use WSE message layer security, the "mutualCertificate10" and
"mutualCertificate11" will both support mutual authentication againt
both server and client.

As for transport layer secruity through SSL/HTTPS, as I mentioned in
the last reply, you can add code logic in your webservice client and
hook the Server Certificate validation process to determine whether
the https/SSL server is a valid and expected server.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

This posting is provided "AS IS" with no warranties, and confers no
rights.



.

Relevant Pages

  • AW: Re: Certificate authentication under IIS
    ... Digest Authentication within Active Directory or Windows Domain ... Require Client Certificate ... I use that configuration live on several sites and it works without any user authentication request. ... it makes sense to use client certificate mapping to external users who are not trusting my own CA and are not controlled ...
    (Focus-Microsoft)
  • urgent: unable to find client certificate
    ... i am trying to consume an external web service in my orchestration. ... authentication process on the external side is a cert-based process: ... i get an error message saying 'client certificate ...
    (microsoft.public.biztalk.general)
  • Re: Authentication using Distinguished name instead of Certificate
    ... the certificate, but I would still have the same issue. ... >:I DO want to a pass-through authentication feature by myself. ... authenticating on a client certificate, I want to authenticate based on ... In order to reduce SSL load and support edge server caching ...
    (microsoft.public.inetserver.iis.security)
  • forms-based with client cert requirement
    ... Form authentication) authentication (with LDAP) and the Advanced page of the ... Authentication tab containes the "require ssl client certificate" ENABLED. ...
    (microsoft.public.isa)