Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / January 2006

Tip: Looking for answers? Try searching our database.

authentication problem migrating a Winform+WS to asp.net20+WS

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Globule - 09 Jan 2006 16:35 GMT
Hi everybody,

We have a Winform application which uses x509 user certificates to
connect to .net 1.1 web services.
We are actually writting a new GUI in aspx.net 2.0 to host it on
different server of the Webservices.
So the aspx application need to make requests to the web services they
are waiting for  users certificates!

Winform(user cert)->(ok)WS
IE(users certs)->(ok)aspx(?)->(?)WS

note: what is beetween () is authentication informations/process

Remember the WS need to authenticate the IE user...
Reply to this Message
Joe Kaplan (MVP - ADSI) - 09 Jan 2006 17:38 GMT
You won't be able to do this.  You can't delegate client certificate
authentication as the ASPX pages won't have the user's private key for the
certificate.  You would need to use a delegatable security protocol like
Kerberos to make this work.

Joe K.

> Hi everybody,
>
[quoted text clipped - 13 lines]
>
> *** Sent via Developersdex http://www.developersdex.com ***
Reply to this Message
Dominick Baier [DevelopMentor] - 09 Jan 2006 19:17 GMT
hi,

yep - thats a perfect scenario for protocol transition - if the certs are
from a windows enterprise CA you can extract the UPN for PT.

start here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/secu
rity/kerberos/default.mspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> You won't be able to do this.  You can't delegate client certificate
> authentication as the ASPX pages won't have the user's private key for
[quoted text clipped - 19 lines]
>>
>> *** Sent via Developersdex http://www.developersdex.com ***
Reply to this Message
Globule - 09 Jan 2006 20:48 GMT
Thank you Joe.

Ithought about an alternative : the web server send code to the client
and then IE is in charge to call the WS.

Like this :

1. IE(cert)->(ok)aspx
2. IE<-[code]<-aspx
3. IE+[code](cert)->(ok)WS

The code will be a custom user control in C#.

What do you think about this solution?
Reply to this Message
Joe Kaplan (MVP - ADSI) - 09 Jan 2006 22:26 GMT
That could work.  You'll need to deal with Code Access Security to make sure
your user control works properly without full trust though.  By default, you
will only have permissions to access web resources on the same site as that
the code was downloaded from, so you may need a CAS policy change to make
this work.  This is definitely doable, but may require "per machine" policy
changes on each workstation running the user control to get the desired
results.

It might be easier to set up the web services to accept Kerberos
authentication as well as client certificates (perhaps in a different
virtual root or something or they needed to be separate) so that you could
use a traditional delegation approach like the protocol transition/Kerberos
idea that Dominick and I suggested.

Joe K.

> Thank you Joe.
>
[quoted text clipped - 12 lines]
>
> *** Sent via Developersdex http://www.developersdex.com ***
Reply to this Message
Globule - 10 Jan 2006 08:50 GMT
I forgot to mention both aspw and WS uses SSL and require client
certificate. I beleive this is enough to ensure client authentication.
The aspx code will certainly be signed.
This 2 condition seem to be sufficient in a short term.
Reply to this Message
Joe Kaplan (MVP - ADSI) - 10 Jan 2006 16:45 GMT
You can probably find a way to make this work with a downloadable control,
but you will still probably need to deploy specific CAS policy to each
workstation to make it work.  You'll see what I mean when you start working
on it.  Applying a digital signature or strong name to the code in question
will definitely make it easier to identify your code to the security policy
system, so that is a good idea.

Joe K.

>I forgot to mention both aspw and WS uses SSL and require client
> certificate. I beleive this is enough to ensure client authentication.
> The aspx code will certainly be signed.
> This 2 condition seem to be sufficient in a short term.
>
> *** Sent via Developersdex http://www.developersdex.com ***
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.