Re: WebService Windows Authentication ASP.NET 2.0

From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 17 Mar 2006 22:10:36 +0000 (UTC)

why not simply use a <authorization> element -

at least with

<deny users="?" />

and if it is granular enough to set the authorization on file basis - use a location element for individual AuthZ settings for the .asmx files.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

It will be security as long as you configure IIS to only allow
authenticated users (via Basic, Digest and or IWA).

I'm not a big fan of using the PrincipalPermission as it generally
requires you to hard code stuff you should be putting in configuration
(user and group names). I like calling IsInRole directly so that you
can supply the values at runtime. PrincipalPermission just calls
IsInRole under the hood anyway. But, you can use it if you want.

Joe K.

"Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
news:egeJ75gSGHA.1728@xxxxxxxxxxxxxxxxxxxxxxx

Hi,

I have created a web service which I am calling from InfoPath, a
WinForms application and an ASP.NET Web Application.

I would now like to implement some security. The web service is only
being used inside a corporate network, so I can use Windows-based
security.

How secure is it if I use:

<authentication mode="Windows" />

in my web.config, and then put a PrincipalPermission on each method?

Is this the right way of doing it?

Thanks

Henrik.

Follow-Ups:
- Re: WebService Windows Authentication ASP.NET 2.0
  - From: Henrik Skak Pedersen

References:
- Re: WebService Windows Authentication ASP.NET 2.0
  - From: Joe Kaplan \(MVP - ADSI\)

Prev by Date: WebService Windows Authentication ASP.NET 2.0
Next by Date: Re: WebService Windows Authentication ASP.NET 2.0
Previous by thread: Re: WebService Windows Authentication ASP.NET 2.0
Next by thread: Re: WebService Windows Authentication ASP.NET 2.0
Index(es):
- Date
- Thread

Relevant Pages

Re: Active Directory authorization
... AD should be fine as a source for authentication for your web service. ... The easiest way to use AD for authentication is to just use the transport layer authentication schemes built in to IIS. ... For app level authorization, I'd suggest checking out Microsoft's Authorization Manager framework. ... every applications. ...
(microsoft.public.windows.server.active_directory)
Re: Application pool security
... calls a web service which is also setup to run under the same ... application pool identity (a valid domain account) with Windows ... authentication (anonymous user turned off in IIS). ... At the moment my authorization ...
(microsoft.public.dotnet.framework.aspnet.security)
Running Webservice under aspnet entity....
... One web service I use does ... that 'aspnet' entity lacks the authority to connect. ... from work PC- it goes with 'aspnet' id and fails MQ authorization. ... settings I have in IIS under default web site - properties - Directory ...
(microsoft.public.dotnet.framework.aspnet.webservices)
asp.net impersonation
... When a Web Service is configured to use windows authentication with no ... When I turn on impersonation and add authorization for user domain ...
(microsoft.public.dotnet.framework.aspnet.security)
Authorization during WS-SecureConversation secured calls
... What are the options/best practices for authorizing individual Web Service ... WS-SecureConversation machinery is being set up. ... This seems like it should be a fairly common usage pattern, ... I've read so far appears to discuss WS-SecureConversation and authorization ...
(microsoft.public.dotnet.framework.webservices.enhancements)