Security, WebServices

• Previous message: William Stacey [MVP]: "Re: is there any way to clear the buffer of a System.IO.StreamWriter so that it does not do a flush when it is closed in the finaly block?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 29 Sep 2005 08:39:32 -0700

Thank you in advance to any help that anyone can provide for the
following questions.

We are implementing authentication and authorization in an n-tier
environemnt, and I'm having two issues:

1. Authenticating a user outside the domain using <authentication
mode="Windows"/>
2. Marshalling credentials across multiple web service hops with
impersonation turned off.

Here are a few current facts about our applicaiton:
1. Using .NET Framework 2.0
2. Messaging between tiers is accomplished using ASP.NET 2.0 Web
Services.
3. Clients connecting to the web services may or may not be outside the
domain.
4. Using Windows authentication (<authentication mode="Windows"/>)
5. Using Authorization Manager (azman) for Authorization
6. Impersonation turned off on web services b/c they need access to
resources (eventlogs, files, etc).

First question:
We have an application user that is a member of the domain. When the
user logs in to the application, we create a NetworkCredentials
(username/pwd/domain) and set the credentials on the service proxy.
This works greate when connecting within the domain, however when
attempting to connect from outside the domain we are receiving a 401 -
Access denied. After some research, I believe we need to use basic
authenticaion as opposed to NTLM when outside the domain. However,
when using basic authentication, will the framework still authenticate
the user credentials against the domain user? (i.e can i use windows
authentication + basic authentication w/o having to manually
authenticate the user?)

Second question:
Since clients may be outside the domain, we cannot assume that the
client has access to resources required by azman. Therefore, we
created a security web service that wraps azman with a few methods such
as CheckOperations(string[]). We would like to consume this service on
the client and the middle tier (other web services). In addition, some
of the business logic assemblies that consume the web service are
shared b/t the client and middle tier. Inoking the service on the
client seems to work fine, we just set the credentials on the security
service proxy and authorize against the HTTPContext.Current.User.
However, invoking the service from another middle tier service not
work:

1. Client sets credentials on and invokes BusinessLogicService
(HTTPContext.Current.User are correct)
2. BusinessLogicService calls method in client/middle tier shared
assembly BusinessLogcAsm
3. BusinessLogicAsm invokes the CheckOperations method on the
SecurityService
4. Since impersonation is off (see above), the SecuirtyService's
HTTPContext.Current.User is not correct (its the user
BusinessLogicService is running under).

Invoking WindowsIdentity.Impersonate() before the security service call
within BusinessLogicAsm will fix the issue in the middle tier, however
since the BusinessLogicAsm is a shared asm I dont also want to
impersonate on the client.

Also, if there is an better security solution to attack the above
topography, please let me know.

Thank you,

Eric Wellnitz

• Previous message: William Stacey [MVP]: "Re: is there any way to clear the buffer of a System.IO.StreamWriter so that it does not do a flush when it is closed in the finaly block?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]