 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / March 2005What is the best token for me to use?
Hi, I would like some advice on the best option to take for securing my web services. My situation is this. I have a number of services which will be called by domain users. I must be able to authenticate them in the default way (using windows authentication I guess) OR using LDAP depending on the particular implementation. It is also essential that I have access to the authenticated users details (i.e. username) inside the service once validation has been achieved by whatever method. My guess is that I should use a username token. But I have a couple of problems with this. Firstly, if the client (a web site) uses windows authentication how can my code get access to the password in order to create the username token? Secondly, it seems to be a requirement of this technique to send the password in clear text. How can this be a good idea? Given these difficulties with username token, would I be better off with kerberos or kerberos2? In this case, would I still be able to authenticate using LDAP? Also would this impose any restrictions on the operating system of the domain controller? Sorry of any of these questions are naive or unlcear, but I really want to get the right solution rather than just the first one I can get to work. Thanks. Julian Jelfs. Hello Julian, If all your clients are Windows users and live in a trusted domain KerberosToken2 is the way to go!!! DC OS : W2K or higher LDAP: You can always extract the client user name from the token and query whatever back end store has more infos for you --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Hi, > [quoted text clipped - 26 lines] > > Julian Jelfs. OK, thanks for the reply. I forgot to mention one other requirement. This may well have to work through a firewall. Will the kerberos2 still work? I'm trying to run kerberos2 sample that comes with WSE 2.0 and I'm having a problem. I'm running it on a win 2003 server which is part of a domain controlled by a win2k domain controller. My w3wp process is running as a domain account which I have granted permission to act as part of the operating system. I've logged on to the machine using a normal domain account and attempted to run the sample and I get the following error: AcceptSecurityContext call failed with the following error message: Logon Failure: unknown user name or bad password. I can debug it as far as making the request and everything looks OK. I create the token alright. Do you know what might be causing this problem? Is there anything I can check in debug to try and diagnose it. Thanks again. Julian. > Hello Julian, > [quoted text clipped - 39 lines] > > > > Julian Jelfs. Hello Julian, a) why is w3wp running as a domain account? is this a requirement? Network Service will work fine b) under which accout is w3wp running and how are you constructing the KerberosToken? c) Kerberos will go through firewalls, depends on the firewall configuration :) --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > OK, thanks for the reply. I forgot to mention one other requirement. > This may well have to work through a firewall. Will the kerberos2 [quoted text clipped - 63 lines] >>> >>> Julian Jelfs. Hi, a) no particular reason which is relevant anymore I don't. I can try switchig it back to Network Service but that shouldn't cause a problem right? b) w3wp is running as a domain account defined on active directory on the domain controller which controls the domain which my web server belongs to. I am constructing the KerberosToken2 using the sample code. The TargetPrincipal string that actually gets passed into the constructor is "host/flamingo" where flamingo is the name of my server. When I look at the token in debug I can see that the TargetPrincipal property is set to FLAMINGO$@ARM.STRATEGICTHOUGHT.CO.UK. The only things which seem notable about this are the lack of the prefix HOST/ and the extra $ sign that's crept in. I'm sure this has something to do with service principal names etc, but that's a very grey area for me and I'm not sure how to diagnose the problem. Any help would be great because I feel like I'm close to getting this right. thanks, Julian. > Hello Julian, > [quoted text clipped - 75 lines] > >>> > >>> Julian Jelfs. Well thanks very muc, I changed the w3wp back to Network Services and it now works fine. Now in an ideal world I would love to understand why, but the most important thing is that it works.... thanks again. > Hello Julian, > [quoted text clipped - 75 lines] > >>> > >>> Julian Jelfs. Hello Julian, :) the mysteries of SPNs - Network Service is registered as host/machine. Query the SPNs for MACHINE$ with SetSPN and you will see. If you register a SPN for your domain account and supply this SPN to the KerbToken ctor - it should also work. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Well thanks very muc, I changed the w3wp back to Network Services and > it now works fine. Now in an ideal world I would love to understand [quoted text clipped - 83 lines] >>>>> >>>>> Julian Jelfs. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.