Mixed mode WSE authentication (of internal/external WinForm client

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

lpthorp - 27 Apr 2005 16:08 GMT

Hi everyone,

We have several WinForms/web service based apps in our internal network
which need to be made accessible to users connecting via the Intranet.

The plan is to move the web services server to our DMZ, with minimal changes
to the apps and web services.

What would you consider to be the ‘best practice’ for implementing the mixed
mode authentication of (1) domain users in the internal network and (2)
external clients connecting via the internet (i.e. they will be supplying
username/password tokens)?

TIA,

Louis

Reply to this Message

William Stacey [MVP] - 27 Apr 2005 19:00 GMT

Many ways to go here. Probably the most secure is to keep your internal web
service internal. Add a standalone domain to the DMZ for external users and
allow access to the sql connection from inside the web service using CLR
role based security (could also verify users against db but I prefer
leveraging windows if possible). That provides clear seperation, however
that means dual admin of users and passwords and security rights. And
depending on what they need access to, you may have to have trust links
anyway. So the another option would be to just add auth to AD (assuming AD
here) from your web services. This allows you to leverage existing accounts
and rights and internal management tools. For external only users, just
create them an account and make them a member of only the "External Users"
group (or what ever.) Make sure External Users group only has access to
just the specific things they need (i.e. files, etc) and nothing else.
Remove them from Domain Users group as well so the only group they are a
member of is External Users. You can also add CLR role based security on
all your methods the web service calls for things that require security so
you have both CLR and OS/NTFS security. CLR required roles may then allow
either Domain Users and External Users to allow both the special external
users and existing domain members.
--
William Stacey [MVP]

> Hi everyone,
>
[quoted text clipped - 5 lines]
>
> What would you consider to be the 'best practice' for implementing the

mixed

> mode authentication of (1) domain users in the internal network and (2)
> external clients connecting via the internet (i.e. they will be supplying
[quoted text clipped - 3 lines]
>
> Louis

Reply to this Message

Louis - 16 May 2005 15:53 GMT

After some blood and tears I have a clearer idea of what I should be doing to
authenticate internal / external clients, as follows.

A username token and a kerberos2 token are being passed with with each call.
These tokens will be authenticated by overriding
UsernameTokenManager.AuthenticateToken. Internal clients will be
authenticated using their kerberos2 token. External clients will be
authenticated against a custom user database with hashed passwords.
Encryption is done using secure conversation. The web services are running
in the DMZ. Sounds ok thus far right?

The stumbling block is getting access to the kerberos2 token in
UsernameTokenManager.AuthenticateToken. I can access RequestSoapContext and
iterate through the security tokens collection without any problems outside
of AuthenticateToken in the web service methods that are subsequently called.
However RequestSoapContext is null inside AuthenticateToken. Does anyone
know to get to the tokens collection within RequestSoapContext???

Many thanks,

Louis

> Many ways to go here. Probably the most secure is to keep your internal web
> service internal. Add a standalone domain to the DMZ for external users and
[quoted text clipped - 36 lines]
> >
> > Louis

Reply to this Message

Mixed mode WSE authentication (of internal/external WinForm client

Free Magazines