Client Cert Delegation to Web Service

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

hepsubah - 29 Aug 2007 14:34 GMT

I have some secure ASP.NET Web Services (which could become WCF
services) used to generate a secure ASP.NET page. Is there any way to
delegate (impersonate?) the client cert from the user accessing the
page to the secure service ?

Thanks in advance

Doug

Reply to this Message

Dominick Baier - 29 Aug 2007 15:04 GMT

IIS has a certificate mapping feature - this allows to map the certificate
to a Windows account (i can't remember if this gives you an impersonatable
token - Joe?).

You could also use protocol transition to do this - but this requires a domain.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> I have some secure ASP.NET Web Services (which could become WCF
> services) used to generate a secure ASP.NET page. Is there any way to
[quoted text clipped - 4 lines]
>
> Doug

Reply to this Message

Joe Kaplan - 29 Aug 2007 15:36 GMT

Yes, the certificate mapping does give you an impersonatable token and if
you use protocol transition (S4U), it should be then possible to delegate
the impersonated security context to the web service via Kerberos
delegation.

As I said before, you can't actually delegate the client certificate SSL
handshake itself since you don't have the private key, but the Kerberos
delegation approach can be made to work.

Joe K.

Signature

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

> IIS has a certificate mapping feature - this allows to map the certificate
> to a Windows account (i can't remember if this gives you an impersonatable
[quoted text clipped - 17 lines]
>>
>> Doug

Reply to this Message

Rate this thread:

Client Cert Delegation to Web Service

Free Magazines