calling a web service protected by RSA SecurID

Discussion in 'ASP .Net Security' started by ajfish@blueyonder.co.uk, Mar 28, 2007.

  1. Guest

    Hi,

    my client has an extranet IIS web server protected by RSA SecurID.
    it's running my asp.net 1.1 application. when they use the web app
    from a browser they have to log in to RSA, then they see the login
    screen for our application (forms authentication) and everything is
    fine.

    however, when they use our winforms client application to access a web
    service (which is part of the same web app), it doesn't work. we are
    handling HTTP 401 responses correctly in the windows client but I
    guess SecurID is not using this mechanism.

    anyone know how I can get a .Net 1.1 winforms application to connect
    to a web service that is proected by SecurID

    TIA for any thoughts.

    Andy
     
    , Mar 28, 2007
    #1
    1. Advertising

  2. Joe Kaplan Guest

    You can't really do this in a standards-based way. The forms auth done by
    SecurID doesn't use any of the standard HTTP transport level security
    protocols like Basic, Digest or Integrated auth and doesn't correspond with
    the WS-Security specification for doing message level security.

    My overally assessment is that the authentication mechanism in use on the
    website is inappropriate for use with programmatic agents like web services.
    You should consider changing that. However, if it is not an option, you'll
    likely need to implement a proprietary mechanism to handle the SecurID auth
    and then add the required cookie programmatically to your web service proxy
    class. I've seen that done before, although I can't tell you exactly how
    you'll go about doing that in this case as each forms auth mechanism is a
    little different. You'll need to reverse engineer the form post and figure
    out how to collect the required cookie from the server's response.

    Good luck!

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    <> wrote in message
    news:...
    > Hi,
    >
    > my client has an extranet IIS web server protected by RSA SecurID.
    > it's running my asp.net 1.1 application. when they use the web app
    > from a browser they have to log in to RSA, then they see the login
    > screen for our application (forms authentication) and everything is
    > fine.
    >
    > however, when they use our winforms client application to access a web
    > service (which is part of the same web app), it doesn't work. we are
    > handling HTTP 401 responses correctly in the windows client but I
    > guess SecurID is not using this mechanism.
    >
    > anyone know how I can get a .Net 1.1 winforms application to connect
    > to a web service that is proected by SecurID
    >
    > TIA for any thoughts.
    >
    > Andy
    >
     
    Joe Kaplan, Mar 28, 2007
    #2
    1. Advertising

  3. On Mar 28, 1:11 pm, "Joe Kaplan"
    <> wrote:
    > You can't really do this in a standards-based way. The forms auth done by
    > SecurID doesn't use any of the standard HTTP transport level security
    > protocols like Basic, Digest or Integrated auth and doesn't correspond with
    > the WS-Security specification for doing message level security.
    >
    > My overally assessment is that the authentication mechanism in use on the
    > website is inappropriate for use with programmatic agents like web services.
    > You should consider changing that. However, if it is not an option, you'll
    > likely need to implement a proprietary mechanism to handle the SecurID auth
    > and then add the required cookie programmatically to your web service proxy
    > class. I've seen that done before, although I can't tell you exactly how
    > you'll go about doing that in this case as each forms auth mechanism is a
    > little different. You'll need to reverse engineer the form post and figure
    > out how to collect the required cookie from the server's response.
    >
    > Good luck!
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
    > --<> wrote in message
    >
    > news:...
    >
    > > Hi,

    >
    > > my client has an extranet IIS web server protected by RSA SecurID.
    > > it's running my asp.net 1.1 application. when they use the web app
    > > from a browser they have to log in to RSA, then they see the login
    > > screen for our application (forms authentication) and everything is
    > > fine.

    >
    > > however, when they use our winforms client application to access a web
    > > service (which is part of the same web app), it doesn't work. we are
    > > handling HTTP 401 responses correctly in the windows client but I
    > > guess SecurID is not using this mechanism.

    >
    > > anyone know how I can get a .Net 1.1 winforms application to connect
    > > to a web service that is proected by SecurID

    >
    > > TIA for any thoughts.

    >
    > > Andy


    Just a thought: Can you get the web service to use Radius? It should
    be simple to get IIS to use radius as well.

    HTH,

    Nick
    --
    Nick Owen
    WiKID Systems, Inc.
    404.962.8983
    http://www.wikidsystems.com
    Commercial/Open Source Two-Factor Authentication
     
    Nick Owen - GardenToDo.com, Mar 28, 2007
    #3
  4. Guest

    Thanks joe (and nick) for the replies

    unfortunately I work for an ISV and this issue is being reported by a
    customer, so we don't have any control over their security
    infrastructure.

    it looks like RSA do have some APIs but these are available only to
    direct customers or if we spend $10k on an API support contract.

    so at least we have a couple of possible ways forward. even if neither
    of them are ideal

    Andy

    On Mar 28, 6:11 pm, "Joe Kaplan"
    <> wrote:
    > You can't really do this in a standards-based way. The forms auth done by
    > SecurID doesn't use any of the standard HTTP transport level security
    > protocols like Basic, Digest or Integrated auth and doesn't correspond with
    > the WS-Security specification for doing message level security.
    >
    > My overally assessment is that the authentication mechanism in use on the
    > website is inappropriate for use with programmatic agents like web services.
    > You should consider changing that. However, if it is not an option, you'll
    > likely need to implement a proprietary mechanism to handle the SecurID auth
    > and then add the required cookie programmatically to your web service proxy
    > class. I've seen that done before, although I can't tell you exactly how
    > you'll go about doing that in this case as each forms auth mechanism is a
    > little different. You'll need to reverse engineer the form post and figure
    > out how to collect the required cookie from the server's response.
    >
    > Good luck!
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
    > --<> wrote in message
    >
    > news:...
    >
    >
    >
    > > Hi,

    >
    > > my client has an extranet IIS web server protected by RSA SecurID.
    > > it's running my asp.net 1.1 application. when they use the web app
    > > from a browser they have to log in to RSA, then they see the login
    > > screen for our application (forms authentication) and everything is
    > > fine.

    >
    > > however, when they use our winforms client application to access a web
    > > service (which is part of the same web app), it doesn't work. we are
    > > handling HTTP 401 responses correctly in the windows client but I
    > > guess SecurID is not using this mechanism.

    >
    > > anyone know how I can get a .Net 1.1 winforms application to connect
    > > to a web service that is proected by SecurID

    >
    > > TIA for any thoughts.

    >
    > > Andy- Hide quoted text -

    >
    > - Show quoted text -
     
    , Mar 29, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Webdiyer
    Replies:
    0
    Views:
    712
    Webdiyer
    Nov 18, 2003
  2. gg
    Replies:
    0
    Views:
    2,710
  3. Chris Shenton

    RSA SecurID token authentication?

    Chris Shenton, May 29, 2007, in forum: Python
    Replies:
    1
    Views:
    729
    Nick Owen
    May 31, 2007
  4. Alan Chen

    ASP.NET security and RSA SecurID

    Alan Chen, Sep 16, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    326
    Alan Chen
    Sep 16, 2004
  5. Vaibhav Modak
    Replies:
    0
    Views:
    148
    Vaibhav Modak
    Jan 14, 2004
Loading...

Share This Page