Re: Securing Webservice

Hi Joe,
A supplementary question if I may.
My approach to secure the web service is to
First secure the transmission from the client using https.
Once I get this working I am going to have the website require client
certificates.
The assumption being that I can somehow generate certificates that can be
installed on the clients.
(Process as yet unknown to me.)
I believe that doing this will restrict the publication of the wsdl doc and
access to the web service to only my installed clients.

Am I on the right track?
regards
Bob

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eRxOlJjHHHA.420@xxxxxxxxxxxxxxxxxxxxxxx
Perhaps the issue isn't with a certificate trust issue, but with some
other
cert problem such as a cert name/URL host mismatch or a cert expiration.
What exactly does the cert warning dialog say?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Bob" <bob@xxxxxxxxxxx> wrote in message
news:OA7Fd3iHHHA.4112@xxxxxxxxxxxxxxxxxxxxxxx
Hi Joe,
Thanks for your reply.

The problem apppears to be that I am not installing the certificate on
the
client successfully.
When the browser brings up the Certificate question dialog box I go down
the
view certificate -> install certificate path. This seems to proceed
correctly.
I have tried letting the wizard choose where to put the certificate as
well
as taking the manual path and selecting Trusted Root Certicate Store. In
both cases I am told the import is successful.

However a new browser window gets the certificate question and away we
go
again.

The goal is to deploy a thick client on a couple of external machines.

My test Http deployment went OK. but now I have clamped down to Https
the
newly installed test app errors trying to connect.

I am assuming that the inability of the browser to repeatedly use the
certificate is related but this may not be correct as the app has been
told
to trust any certificate. Still, it is a starting point to trying to
figure
out what is wrong.

Thanks
Bob

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uooZrOaHHHA.420@xxxxxxxxxxxxxxxxxxxxxxx
The issue here is that your browser doesn't trust the certificate. IE
isn't
installing a certificate when it gives you a warning, it is just
telling
you
it doesn't trust the certificate. In order to get the client to trust
it,
you need to put the root certificate in the client's root certificate
store.

Note that you'll need to do that for every client that will access the
server. If that is a lot of clients, you might want to consider a
certificate from a public CA. If they are all members of your domain,
then
you can deploy an enterprise CA to get that root automatically
installed
on
each domain member.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Bob" <bob@xxxxxxxxxxx> wrote in message
news:O$qmzYYHHHA.1240@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I am new to web admin and security.
Made a certificate server out of the development Win2k server and
created
a
root certificate.
The same machine is also the web server for now.
Updated the Web site directory properties to require SSL
When I query the site from a browser on the LAN it brings up the
certificate
question and the certificate install appears to go OK. The WSDL doc
for
my
service then appears
However if I start a new browser window it asks the certificate
question
again.

Any clues as to where I am going wrong?
thanks
Bob










.

Relevant Pages

  • Re: How to starthandshake with client browser??
    ... >> And then what should i do to handshake with browser? ... > getting the browser to trust your certificate. ... 1-Open an SSL server Socket ... 2-Wait for a connection (from your client web browser). ...
    (comp.lang.java.programmer)
  • Re: LDP client authentication fails
    ... were working on some docs to clarify how client cert auth works with LDAP ... Joe Kaplan-MS MVP Directory Services Programming ... the client certificate can be used. ... If not then server can never authenticate the client. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cannot request computer certificate.
    ... >problem since you can not request a certificate while logged onto the CA. ... Verify that you can ping it by name and IP address from the client ... >> Kerberos, or dns. ... >> List of NetBt transports currently bound to the Redir ...
    (microsoft.public.windows.server.security)
  • Re: The message must contain a wsa:To header
    ... My client app is not generating a trace file. ... the client is not applying the WSE policy at all because of an ... at ApplicationMessagingWS.Dispatch(String messageType, String ... look for a certificate with this subject name in the certificate store ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: L2TP/IPSec from XP client to Windows 2003 Server
    ... ie no valid cert found on client - contacted Microsoft ... Windows Server 2003 Certificate Authority running ... The next step is to install Certificate Services on the Windows Server ... From Networks Connections on the client, ...
    (microsoft.public.security)