authentication between two server processes over the internet

Discussion in 'ASP .Net Web Services' started by Syed Naveed Ausaf, Nov 12, 2003.

  1. Hi all,

    My scenario is this:

    Central Server: on which a number of remote machines invoke services
    (implemented as web services, but doesn't matter what the choice of
    implementation is).

    Remote Servers: These are machine running at various sites worldwide.
    Each remote server would be on a separate network and separated from
    the internet by firewalls.

    I have control over the central server and the firewall configuration
    for it but little or no control over the firewall configuration of the
    remote servers.

    Standalone server processes will be running on all the servers. The
    server process on the remote server needs to communicate with the
    server process running on the Central server. This communication is
    occuring automatically and will continue to occur indefinitely, with
    no human involvement.

    The communication is encrypted using SSL.

    QUESTION: What authentication method should I use at the Central
    Server to authenticate the Remote Servers?

    I thought of using usernames and passwords. the problem is that in the
    given scenario, they would need to be stored onto the Remote Server in
    a file or registry.

    What about Client Certificates? I will have install-time control of
    the remote server. So I can then install a certificate issued by the
    Central Server(acting as Certificate Authority) onto the Remote
    Server. Bur are there any management/logistical/operational issues
    with using client certificates?

    Are there any other options to let the Central Server authenticate the
    individual Remote Servers?

    I am a bit confused in choosing between usernames/passwords and client
    certificates. While its true that usernames/passwords can be read by
    anyone from wherever they are stored, but then, I think, that the
    client certificates could somehow also be taken/copied off the Remote
    Server and transported/installed elsewhere. Is copying/hacking client
    certificates much more difficult than reading passwords/usernames? One
    thing is given, that the Remote Server's security, and the people
    managing the Remote Server are quite trusted (but then you can't trust
    someone too much!).

    What are my client authentication options? what are the things I
    should bear in mind when deciding on an option?

    Thanks a lot...
     
    Syed Naveed Ausaf, Nov 12, 2003
    #1
    1. Advertising

  2. You might choose to restrict access only to certain IP addresses. This can
    be configured in IIS, or you can do it in code.

    You might choose to use SOAP headers to authenticate a custom security
    token.
    Here's more info on that:
    http://www.pinpub.com/html/main.isx?sub=65&story=1893

    Here's further security details you may find useful:
    http://msdn.microsoft.com/webservices/building/wse/

    --
    I hope this helps,
    Steve C. Orr, MCSD, MVP
    http://Steve.Orr.net
    Hire top-notch developers at http://www.able-consulting.com




    "Syed Naveed Ausaf" <> wrote in message
    news:...
    > Hi all,
    >
    > My scenario is this:
    >
    > Central Server: on which a number of remote machines invoke services
    > (implemented as web services, but doesn't matter what the choice of
    > implementation is).
    >
    > Remote Servers: These are machine running at various sites worldwide.
    > Each remote server would be on a separate network and separated from
    > the internet by firewalls.
    >
    > I have control over the central server and the firewall configuration
    > for it but little or no control over the firewall configuration of the
    > remote servers.
    >
    > Standalone server processes will be running on all the servers. The
    > server process on the remote server needs to communicate with the
    > server process running on the Central server. This communication is
    > occuring automatically and will continue to occur indefinitely, with
    > no human involvement.
    >
    > The communication is encrypted using SSL.
    >
    > QUESTION: What authentication method should I use at the Central
    > Server to authenticate the Remote Servers?
    >
    > I thought of using usernames and passwords. the problem is that in the
    > given scenario, they would need to be stored onto the Remote Server in
    > a file or registry.
    >
    > What about Client Certificates? I will have install-time control of
    > the remote server. So I can then install a certificate issued by the
    > Central Server(acting as Certificate Authority) onto the Remote
    > Server. Bur are there any management/logistical/operational issues
    > with using client certificates?
    >
    > Are there any other options to let the Central Server authenticate the
    > individual Remote Servers?
    >
    > I am a bit confused in choosing between usernames/passwords and client
    > certificates. While its true that usernames/passwords can be read by
    > anyone from wherever they are stored, but then, I think, that the
    > client certificates could somehow also be taken/copied off the Remote
    > Server and transported/installed elsewhere. Is copying/hacking client
    > certificates much more difficult than reading passwords/usernames? One
    > thing is given, that the Remote Server's security, and the people
    > managing the Remote Server are quite trusted (but then you can't trust
    > someone too much!).
    >
    > What are my client authentication options? what are the things I
    > should bear in mind when deciding on an option?
    >
    > Thanks a lot...
     
    Steve C. Orr [MVP, MCSD], Nov 12, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Syed Naveed Ausaf
    Replies:
    1
    Views:
    309
    Steve C. Orr [MVP, MCSD]
    Nov 12, 2003
  2. Loane Sharp
    Replies:
    0
    Views:
    277
    Loane Sharp
    Feb 24, 2006
  3. Jeff
    Replies:
    3
    Views:
    658
    Roedy Green
    Jul 31, 2003
  4. Replies:
    7
    Views:
    6,732
    Alex Molochnikov
    Feb 23, 2005
  5. Charles Fox (Sheffield)
    Replies:
    9
    Views:
    736
    Adam Skutt
    Feb 12, 2011
Loading...

Share This Page