Re: Web Service Security

Hi Joe,
Just realised my terminology is wrong. When I say the WSDL doc is displayed
I am meaning that the ASMX file is accessed and it is displaying its list of
methods.
regards
Bob

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eMq7Nb9OHHA.140@xxxxxxxxxxxxxxxxxxxxxxx
It is realistic to do this. However, you need to make sure you are
installing the client certificate properly. You can't just install a
certificate, you must install the certificate with a private key (usually
packaged as a pfx or p12 file in Windows). Have you done this?

It is probably easier to test this using a browser and navigating to the
asmx resource (use the ?wsdl to pull up the wsdl).

You also should be able to apply the "requires client cert" setting at the
directory level and have that apply to all resources in the directory. It
should not be necessary to apply it to individual resources.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Bob" <bob@xxxxxxxxxxx> wrote in message
news:erd3Jg3OHHA.1276@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have read the other posts here on this subject but I am still unsure
of
the best way to approach my situation.
I am new to web security and web programming in general.
I have a web service and a thick client and a Standalone Root
certificate
server.
The thick client will be installed on our client's machine and access
the
web service (https) over the internet.
The scenario I want is to turn up at the clients site, install the thick
client. and install a certificate generated by the Certificate server.
I want to end up where the web service will not accept access unless the
client certificate is supplied.
i.e. Won't supply WSDL, nothing, immediate 403 access forbidden

I think I am fairly well along the path but I have a problem.
At site level I can set directory security to 'require client
certificate'
but if I set the asmx file level security to 'require client
certificate'
I
get 403 access forbidden. Maybe I don't know how to push the certificate
with the original request?
If I relax the asmx to 'accept client certificate' I get access but so
does
any test pc with out a certificate.
Is my scenario realistic?
Why doesn't just setting the site directory security to 'client
certificate required' do the job?

Thanks
Bob






.

Relevant Pages

  • Re: L2TP/IPSec from XP client to Windows 2003 Server
    ... ie no valid cert found on client - contacted Microsoft ... Windows Server 2003 Certificate Authority running ... The next step is to install Certificate Services on the Windows Server ... From Networks Connections on the client, ...
    (microsoft.public.security)
  • RE: Certificate Mapping - Debugging
    ... Has his client certificate's private been properly exported and installed ... the CA which issues the client certificate must be trusted by ... you may install his client cert on your machine ... Microsoft Online Community Support ...
    (microsoft.public.inetserver.iis.security)
  • Re: problem with client certificates
    ... When you request the client cert, go under the advanced options and choose ... install it on another machine. ... > if let the user install the certificate through the browser, ...
    (microsoft.public.inetserver.iis.security)
  • Re: ADAM & SSL connect over SSL
    ... I installed a p7b certificate on the client machine in the current user ... Joe Kaplan wrote: ... I install the CA certificate with certsrv. ...
    (microsoft.public.windows.server.active_directory)
  • Re: WCF endpoint certificate identity
    ... When web services have certificates involved and are used at the message level I believe the update process would be to re-send the WSDL to the client. ... Some documentation says that "This element specifies a Base64-encoded X.509 certificate value to compare with the client." ... When the web service owner decides to change the certfificate, ...
    (microsoft.public.dotnet.framework.aspnet.webservices)