RE: Can I serialize cached credentials for later authentication on

The logon session only disappears when all tokens referencing it are closed,
so the "cached" token would still be valid.
On the other hand, this would generate a token leak (in other words, the
user wouldn't be totally logged off at this point, until the service closed
that token).

Note that the original request made no assumption with regards to the moment
when network connectivity was restored. A reboot may even have occurred
between the request and the "serialization" to the server.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Eric Perlin [MSFT]


""Jeffrey Tan[MSFT]"" wrote:

Hi Bill,

Based on my understanding, your client application is communicating with a
Web Service on another machine. When the network is unavailable for client
machine, your client application will send all the request to a Windows
Service application on the same client machine so that this Windows Service
application can cache the requests and resend these requests to Web
Services for authentication after network is ok. If I have misunderstood
you, please feel free to tell me, thanks.

Normally, in this scenario, the recommended solution is letting the Windows
Service impersonating the client application account. With impersonating
the client application in the Windows Service thread, this impersonating
thread can send the request to the Web Service on behalf of the client
application with the same security context. So the integrated Windows
authentication on IIS will help to authenticate the Windows Service thread
request correctly. The problem is that while the Windows Service thread is
serving request from client application the network is still unavailable,
although this thread can impersonate as the client account, it still can
not communicate with the remote Web Service. To resolve this issue, my
thought is storing the client request security token in the Windows Service
application for caching. After the network is available, the Windows
Service application will detect this and retrieve the previous stored token
and call SetThreadToken to impersonate as the client application. Now, the
Windows Service thread is acting as the client application account, it can
communicate with the Web Service of remote machine and let IIS authenticate
the impersonated account.

Does this logic meet your need?

The problem of this approach is that the user that is using the client
machine may just log off from the client machine before the network is
available, so the entire logon session may be destroyed. Since the token is
a structure pointed to the logon session, I suspect if the cached token in
the Windows Service is valid anymore. I will try to consult internally to
make this problem clear. I will get back to you ASAP. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


.

Relevant Pages

  • Re: Writing Secure Web Services
    ... We need to create a secure web ... The client GPG Signs a UUID+Time. ... is worthless since it's only good for one request. ... So tokens are only good for one request. ...
    (comp.lang.ruby)
  • Re: Writing Secure Web Services
    ... We need to create a secure web ... The client GPG Signs a UUID+Time. ... token is worthless since it's only good for one request. ... So tokens are only good for one request. ...
    (comp.lang.ruby)
  • Re: I am at a lost.... WCF
    ... I can consume the WCF service that hosted in a remote Windows Service. ... Make sure we have changed the client configuration to align the server address. ... My first guess would be that there is a firewall in the way ... I did follow your conversation with the original poster and today I ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Looking For Code Sample and Request Feedback
    ... I would prefer to use a Windows Service but a web service will do to. ... What is very easy to do on a Server 2003 and with VBNet? ... > I am looking for a code sample that communicates from a client to a remote> Windows Service on another computer over the internet, that is the Windows> Service performing instructions the client sends. ... the client does the office automation and the actual> communication of the commands to this server. ...
    (microsoft.public.dotnet.languages.vb)
  • RE: NetworkService - Could not establish secure channel for SSL/TL
    ... I understand you have a .net based windows service ... Based on my understanding on this, the problem is still likely a permission ... issue specific to the client machine's authentication certificate. ...
    (microsoft.public.dotnet.framework)