Re: IIS "secure communications"and "certificate" sections disabled

From: GoCMS (GoCMS_at_discussions.microsoft.com)
Date: 03/25/05 

Date: Fri, 25 Mar 2005 09:17:01 -0800

Hi, Nicole:
  Thanks a lot of your reply. My web service is going to be used only in
intranet, so this is a lot easier to handle. It's just the caller will be
java on unix. About the WSE 2.0 approach, it requires my caller to install a
java plugin, and that makes it harder. I am thinking of the certificate
method. How to generate and install a free client certificate.
  Thanks!

"Nicole Calinoiu" wrote:

> "GoCMS" <GoCMS@discussions.microsoft.com> wrote in message
> news:9DDDB619-71FB-4793-A582-8EF48217255B@microsoft.com...
> > Thanks! I got it. ( thought the link for list of authorities to issue
> > certificate doesn't really work for the last step. )
> >
> > Anyway, about the web service authentication, here're the 3 ways I can
> > think
> > of:
> > 1. Use IIS IP restriction. Only allows certain IP to access service.
>
> There are a few problems with this one:
>
> a. The message won't be encrypted, so any sensitive data will potentially
> be exposed to eavesdroppers.
> b. IP addresses can be spoofed.
> c. Clients with dynamic IP addresses won't be able to connect (unless you
> remap to their new addresses, which adds a potential attack point).
>
>
> > 2. Use Certificate. This involves a fee to get the certificate for server
> > and client.
>
> Not necessarily. For the server, a commercial certificate would probably be
> a good idea, but you could use a self-issued certificate if you're dead set
> against paying for one. Of course, convincing your client to trust your
> self-issued certificate would be a whole other story...
>
> It isn't necessary to use client certificates for authentication just
> because you're using a server certificate for other purposes (e.g.: SSL).
> If you do want to use client certificates for authentication, you could
> issue them yourself. After all, you're the only one who needs to trust
> them.
>
> As a bit of a side note, regardless of what other mechanisms you may select
> for encryption and/or authentication, applying a server certificate and
> enforcing the use of HTTPS when calling your web service over the internet
> would be good way to enhance the security of the system reasonably cheaply
> (both in terms of time and money).
>
>
> > 3. Use WSE2.0, web service enhancement toolkit. This can only be used when
> > server and client are both using .net framework 1.1, both have to install
> > the
> > toolkit.
>
> Not true. WSE renders web service messages that are supposed to be
> compliant with the WS-* standards. Depending on the tools available to your
> clients, they may find supporting these standards to be somewhat more or
> less difficult than it is via WSE. You should probably discuss this with
> them.
>
>
> > Am I understanding it right? What're the pros and cons of the approaches?
> > And... are there any other ways?
>
> Yes. There are quite a few possible combinations of authentication and
> encryption schemes. Your best bet may be to take a look at
> http://msdn.microsoft.com/webservices/building/interop/ in order to target
> your research at the scenario you need to support.
>
>
>
> > I am now writing my service in .net, and my intended client is using java
> > on
> > unix.
> >
> > Thanks a lot!
> >
> >
> > "GoCMS" wrote:
> >
> >> Hi, there:
> >> This might be a newbie question. I want my web service to require a
> >> certificate to access, so I go to IIS my virtual directory property and
> >> Directory Security page. I found the "secure communication" secion
> >> including
> >> "Server certificate" button are both greyed out. I wonder why that is.
> >> I'm an
> >> admin user of the computer. Did I miss some OS component or something?
> >>
> >>
>
>
>

Quantcast