Client Side Certificates for Web Services?

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

localhost - 25 Oct 2004 18:22 GMT

Part 1:
I have a simple web service. I would like to protect the web
application by only allowing callers that have a client-side
certificate installed. How can I do that programmatically? I have no
access to the IIS metabase, so I need to do it in web.config or in my
application .cs code.

Part 2:
Assuming I can make Part 1 a success, I want to make a console app
that uses client-side certificates "on the fly" to access the web
service. I don't want a user to have to install a certificate with
any UI, I want to do it for them behind the scenes.

Thanks.

Reply to this Message

Joe Kaplan \(MVP - ADSI\) - 25 Oct 2004 21:08 GMT

My instinct is that you would want to use WSE 2.0 for this so you can do it
at the message level. Enforcing client certificates at the transport level
unfortunately means changing the IIS metabase configuration which you said
you can't do.

I'd also suggest reading some of the recent MSDN magazine articles on WSE
2.0 and try posting your question in one of the webservices or WSE
newsgroups.

Joe K.

> Part 1:
> I have a simple web service. I would like to protect the web
[quoted text clipped - 10 lines]
>
> Thanks.

Reply to this Message

richlm - 25 Oct 2004 21:09 GMT

Take a look at WS-Security - implemented as web services enhancements (WSE)
in .NET.
This should provide the features you need - certainly for part 1. It should
provide the flexibility you need.

http://msdn.microsoft.com/webservices/building/wse/default.aspx

As for part 2, if you need transparency your most secure bet is probably to
look at something like a smart card based approach (where the certificate is
on the card

Reply to this Message

[MSFT] - 28 Oct 2004 09:48 GMT

Did you still have any further questions on the issue? If so, please feel
free to post here.

Luke

Reply to this Message

Client Side Certificates for Web Services?

Free Magazines