Re: Web Service Security

Hi Joe,
Thank you for your reply.
I am running IIS on my Win2k Server development machine.
This machine is also the Standalone Root C.A.
The asmx file security is now set to 'ignore client certificates.'

The directory security is set to Requires client certificate
Viewing the certificate using the View Certificate button under directory
security shows "you have a private key for this certificate"
A browser on this machine is able to see the WSDL doc.

On the same LAN is a XP machine.
A browser on that machine gets a security alert that the "Security
certificate was issued by a company that you have not chosen to trust..." Do
you wish to proceed?
At which point you can click yes and display the WDSL doc.

It is this behaviour that I want to stop. Seeing I haven't installed a
client certificate on this machine I don't want it to see the WDSL doc.
I would expect "access forbidden" to occur.

It seems that I must be doing something wrong in the IIS configuration but I
can't see what.
Thanks
Bob





"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eMq7Nb9OHHA.140@xxxxxxxxxxxxxxxxxxxxxxx
It is realistic to do this. However, you need to make sure you are
installing the client certificate properly. You can't just install a
certificate, you must install the certificate with a private key (usually
packaged as a pfx or p12 file in Windows). Have you done this?

It is probably easier to test this using a browser and navigating to the
asmx resource (use the ?wsdl to pull up the wsdl).

You also should be able to apply the "requires client cert" setting at the
directory level and have that apply to all resources in the directory. It
should not be necessary to apply it to individual resources.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Bob" <bob@xxxxxxxxxxx> wrote in message
news:erd3Jg3OHHA.1276@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have read the other posts here on this subject but I am still unsure
of
the best way to approach my situation.
I am new to web security and web programming in general.
I have a web service and a thick client and a Standalone Root
certificate
server.
The thick client will be installed on our client's machine and access
the
web service (https) over the internet.
The scenario I want is to turn up at the clients site, install the thick
client. and install a certificate generated by the Certificate server.
I want to end up where the web service will not accept access unless the
client certificate is supplied.
i.e. Won't supply WSDL, nothing, immediate 403 access forbidden

I think I am fairly well along the path but I have a problem.
At site level I can set directory security to 'require client
certificate'
but if I set the asmx file level security to 'require client
certificate'
I
get 403 access forbidden. Maybe I don't know how to push the certificate
with the original request?
If I relax the asmx to 'accept client certificate' I get access but so
does
any test pc with out a certificate.
Is my scenario realistic?
Why doesn't just setting the site directory security to 'client
certificate required' do the job?

Thanks
Bob






.