 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / June 2005WS Security issues
Hello, I am working on a product when we are shipping a web service and a windows client to several end-customers. The web service should be able to run either on the inside or on the outside of their firewall. The same CD are being sent to all customers, so it is not possible to modify anything from customer to customer. The software should run directly after installation, without obtaining certificates or anothing else.The clients are running on Windows 2000 server and client, Windows XP and Windows Server 2003. I have two demands: 1) All WS requests from the client needs to be authorized by AD. It should be possible to log in using the current credentials or by specifying an user name/password pair. 2) All WS requests from the client needs to be encrypted and signed I have looked into X509SecurityToken, KerberosToken and UsernameToken. But I just can't see how I solve this the the best way. If I use X.509 for signing and encryption, then I guess that I have to distribute the same certificate to all customers, which I guess not i a smart idea. I have read that the KerberosToken does not work for Windows 2000. Any recommendations? Regards Henrik Skak Pedersen We have a similar setup that you described. We are sending the Username/password in the userName token, the Webservice server machine needs to be in the same domain as of the AD, if an invalid username/password is sent and it cannot be authenticated it will throw a SoapFault. The username/password is sent as plaintext in the usernameToken. We are using SSL for making sure that the channel is secure. If you plan to implement the X.509 for encryption my guess is that it will be drag on the performance. > Hello, > [quoted text clipped - 27 lines] > > Henrik Skak Pedersen Hi Yedu, Thank you very much for your reply. Would you use UsernameTokens for signing, encrypting and authentication? How can I send the current UsernameToken? How are you deploying "SSL settings"? Regards Henrik > We have a similar setup that you described. > We are sending the Username/password in the userName token, the Webservice [quoted text clipped - 46 lines] >> >> Henrik Skak Pedersen UsernameToken is used for authentication and authorization. It represents security credentials in the form of a user name and password. The usernameToken can be sent in this way from the client code: UsernameToken token = new UsernameToken(domainAndUserId, Password, PasswordOption.SendPlainText); proxy.RequestSoapContext.Security.Tokens.Add(token); Since SSL is at the transport level and not at the message level, you will not have to do anything in the code for it. Only thing i can think of is that the URL in the proxy would change to 'https' instead of 'http' > Hi Yedu, > [quoted text clipped - 58 lines] > >> > >> Henrik Skak Pedersen Ok, thanks again. I have just seen in some examples that you also can use the UsernameToken to encrypt and sign your messages with. But I guess that you only use it for authentication and then let SSL handle the rest? Do you know how to send the current user credentials, so that the user don't have to specify username/password? Henrik. > UsernameToken is used for authentication and authorization. It represents > security credentials in the form of a user name and password. [quoted text clipped - 78 lines] >> >> >> >> Henrik Skak Pedersen If you're looking for a 'sticky/chatty' webservice. You should consider using SCTs(Secure context tokens) they allow you to be authenticated once and the service issues a token that can be used for subsequent requests. > Ok, thanks again. I have just seen in some examples that you also can use > the UsernameToken to encrypt and sign your messages with. But I guess that [quoted text clipped - 87 lines] >>>>> >>>>>Henrik Skak Pedersen  SignatureHTH Regards, Dilip Krishnan MCAD, MCSD.net dilip.krishnan AT apdiya DOT com +1, If you're looking to sign and encrypt using user name token, keep in mind the service will not be interoperable with java or other technologies. I guess your best option is to use username token for authentication and authorization. And use X509 certs for signing and encrypting. This is a little slower that ssl but from a purist standpoint you are now transport independent! > Hi Yedu, > [quoted text clipped - 58 lines] >>> >>>Henrik Skak Pedersen SignatureHTH Regards, Dilip Krishnan MCAD, MCSD.net dilip.krishnan AT apdiya DOT com Thank you for your reply. But dont I then have to redistribute a new X509 certificate per customer? Do you know how I can send the current UsernameToken? Thanks, Henrik > +1, > If you're looking to sign and encrypt using user name token, keep in mind [quoted text clipped - 70 lines] >>>> >>>>Henrik Skak Pedersen Yes you do have to redistribute the x509 if you choose to use it. With SCT you dont need the current username token... as long as you have the context token and send it with each request the service will assume authentication. > Thank you for your reply. > [quoted text clipped - 79 lines] >>>>> >>>>>Henrik Skak Pedersen SignatureHTH Regards, Dilip Krishnan MCAD, MCSD.net dilip.krishnan AT apdiya DOT com I guess that I have a problem no matter whether I choose X.509 or SSL. I still have to redistribute a unique certificate per customer and install it on the users machine? I can't generate the certificates when I install my product? Or do I have to obtain it from VeriSign or another similar authorithy everytime I sell a package? Henrik > Yes you do have to redistribute the x509 if you choose to use it. With SCT > you dont need the current username token... as long as you have the [quoted text clipped - 87 lines] >>>>>> >>>>>>Henrik Skak Pedersen If you use SCT then you don't need a UT as your already authenticated and can use the SCT for encryption and signing and UT is not really secure unless you use something else on top like SSL or a SCT/Kerberos/etc. But if you have a SCT already, then you don't need the UT (unless you need it for some other reason). You also don't really need Certs for SCT. You can use standard RSA keys (auto generated). I have an example of this on my blog: http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry HTH SignatureWilliam Stacey [MVP] >I guess that I have a problem no matter whether I choose X.509 or SSL. I >still have to redistribute a unique certificate per customer and install it [quoted text clipped - 103 lines] >>>>>>> >>>>>>>Henrik Skak Pedersen Hi again, I am sorry but I think that you misunderstood my question. I want initially to send the current user credentials, so I dont have to store username/password. Is that possible on Windows 2000/XP/2003? > Yes you do have to redistribute the x509 if you choose to use it. With SCT > you dont need the current username token... as long as you have the [quoted text clipped - 87 lines] >>>>>> >>>>>>Henrik Skak Pedersen Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.