Re: Web Service Security

It is realistic to do this. However, you need to make sure you are
installing the client certificate properly. You can't just install a
certificate, you must install the certificate with a private key (usually
packaged as a pfx or p12 file in Windows). Have you done this?

It is probably easier to test this using a browser and navigating to the
asmx resource (use the ?wsdl to pull up the wsdl).

You also should be able to apply the "requires client cert" setting at the
directory level and have that apply to all resources in the directory. It
should not be necessary to apply it to individual resources.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Bob" <bob@xxxxxxxxxxx> wrote in message
news:erd3Jg3OHHA.1276@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have read the other posts here on this subject but I am still unsure of
the best way to approach my situation.
I am new to web security and web programming in general.
I have a web service and a thick client and a Standalone Root certificate
server.
The thick client will be installed on our client's machine and access the
web service (https) over the internet.
The scenario I want is to turn up at the clients site, install the thick
client. and install a certificate generated by the Certificate server.
I want to end up where the web service will not accept access unless the
client certificate is supplied.
i.e. Won't supply WSDL, nothing, immediate 403 access forbidden

I think I am fairly well along the path but I have a problem.
At site level I can set directory security to 'require client certificate'
but if I set the asmx file level security to 'require client certificate'
I
get 403 access forbidden. Maybe I don't know how to push the certificate
with the original request?
If I relax the asmx to 'accept client certificate' I get access but so
does
any test pc with out a certificate.
Is my scenario realistic?
Why doesn't just setting the site directory security to 'client
certificate required' do the job?

Thanks
Bob




.

Relevant Pages

  • Re: Using Microsoft Certificate Server Programatically
    ... Client contacts server (web service) with encrypted registration ... The server issues the certificate (not sure how the web service ...
    (microsoft.public.platformsdk.security)
  • Re: Quick Start certificate
    ... I have enabled diagnostics on the client and the web service. ... Did you give your web server identity permission to ... read the certificate on the server? ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: WSE and X509 trouble
    ... -- A client can be any client of the web service - but you've got the right ... app, or even another web service. ... policy files and b) a client can also use a policy file. ... > now wizard tell me to choose the certificate to use for client ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: WSE 2.0 Policy security settings with multiple X.509 certifica
    ... Certificate Store Location is set to LocalMachine (for the Web Service ... "Trusted Client Certificates" is made from "Local Machine - Other People" ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Web Service Security
    ... installing the client certificate properly. ... you must install the certificate with a private key (usually ... asmx resource (use the ?wsdl to pull up the wsdl). ... You also should be able to apply the "requires client cert" setting at the ...
    (microsoft.public.dotnet.framework.aspnet.security)