Client Certificate and Code Access Security

Discussion in 'ASP .Net Web Services' started by Jürgen Laude, Jan 13, 2005.

  1. Hi,

    I am implementing a IIS deployed client (Windows Forms) that accesses a web
    service on the same server. I want to use client certificates for
    authentication.
    My problem is, when I call the web service with CAS "Internet" permissions,
    I'm receiving a SecurityException in a thread that seems to create the
    connection. The user selects the certificate with a OpenFileDialog configured
    for working with "Internet" permissions. I can verify the loading of the
    certificate and assigning it to the web service proxy works without problems.
    Running the same with "Full Trust" works perfect, but my customers require
    "Internet" permissions only.
    What do I need to do to work arround that? If not, why is using a client
    certificate that the user manually selects a security risk (it is no problem
    for Internet Explorer to do that)?

    Thank you in advance,

    Jürgen
     
    Jürgen Laude, Jan 13, 2005
    #1
    1. Advertising

  2. Hello Jürgen,
    Basically yr having a client application that your trying to run as a
    downloaded interenet application. Such applications are security sandboxed
    as "internet" applications. Which have restricted permissions as far as loading
    things from the hard disk etc. Assuming yr using ssl a client cert cannot
    get access to your certificate in your local stores. Giving just appropriate
    permissions should solve this problem

    HTH
    Regards,
    Dilip Krishnan
    MCAD, MCSD.net
    dkrishnan at geniant dot com
    http://www.geniant.com

    > Hi,
    >
    > I am implementing a IIS deployed client (Windows Forms) that accesses
    > a web
    > service on the same server. I want to use client certificates for
    > authentication.
    > My problem is, when I call the web service with CAS "Internet"
    > permissions,
    > I'm receiving a SecurityException in a thread that seems to create the
    > connection. The user selects the certificate with a OpenFileDialog
    > configured
    > for working with "Internet" permissions. I can verify the loading of
    > the
    > certificate and assigning it to the web service proxy works without
    > problems.
    > Running the same with "Full Trust" works perfect, but my customers
    > require
    > "Internet" permissions only.
    > What do I need to do to work arround that? If not, why is using a
    > client
    > certificate that the user manually selects a security risk (it is no
    > problem
    > for Internet Explorer to do that)?
    > Thank you in advance,
    >
    > Jürgen
    >
     
    Dilip Krishnan, Jan 13, 2005
    #2
    1. Advertising

  3. Hello Dilip,

    Changing permissions on the client side is not an option for my customers.
    Why am I able to use client side certificates in the internet zone with my
    default internet explorer settings for web pages, but not from a .NET
    application for web services? Browsing the asmx page works with the client
    certificate, because IE is pulling it from the store. I understand that a
    ..NET app should not be allowed to access a users certificate store without
    his knowledge, but the client is receiving the certificate from a user
    selected file, so it is users intention to provide it to the application for
    his authentication.

    Thanks,
    Jürgen

    "Dilip Krishnan" wrote:

    > Hello Jürgen,
    > Basically yr having a client application that your trying to run as a
    > downloaded interenet application. Such applications are security sandboxed
    > as "internet" applications. Which have restricted permissions as far as loading
    > things from the hard disk etc. Assuming yr using ssl a client cert cannot
    > get access to your certificate in your local stores. Giving just appropriate
    > permissions should solve this problem
    >
    > HTH
    > Regards,
    > Dilip Krishnan
    > MCAD, MCSD.net
    > dkrishnan at geniant dot com
    > http://www.geniant.com
    >
    > > Hi,
    > >
    > > I am implementing a IIS deployed client (Windows Forms) that accesses
    > > a web
    > > service on the same server. I want to use client certificates for
    > > authentication.
    > > My problem is, when I call the web service with CAS "Internet"
    > > permissions,
    > > I'm receiving a SecurityException in a thread that seems to create the
    > > connection. The user selects the certificate with a OpenFileDialog
    > > configured
    > > for working with "Internet" permissions. I can verify the loading of
    > > the
    > > certificate and assigning it to the web service proxy works without
    > > problems.
    > > Running the same with "Full Trust" works perfect, but my customers
    > > require
    > > "Internet" permissions only.
    > > What do I need to do to work arround that? If not, why is using a
    > > client
    > > certificate that the user manually selects a security risk (it is no
    > > problem
    > > for Internet Explorer to do that)?
    > > Thank you in advance,
    > >
    > > Jürgen
    > >

    >
    >
    >
     
    Jürgen Laude, Jan 13, 2005
    #3
  4. Hello Jürgen,

    Yes IE can access it because its a program running on yr local machine
    (read trusted). But since yr .net client is running under "Internet" permissions,
    it doesnt have permissions to do the same function as IE. Think of it as
    a java applet (read "Internet" permissioned app) running on yr browser, it
    will not have access to delete a file on your hard drive would it?

    HTH
    Regards,
    Dilip Krishnan
    MCAD, MCSD.net
    dkrishnan at geniant dot com
    http://www.geniant.com

    > Hello Dilip,
    >
    > Changing permissions on the client side is not an option for my
    > customers. Why am I able to use client side certificates in the
    > internet zone with my default internet explorer settings for web
    > pages, but not from a .NET application for web services? Browsing the
    > asmx page works with the client certificate, because IE is pulling it
    > from the store. I understand that a ..NET app should not be allowed to
    > access a users certificate store without his knowledge, but the client
    > is receiving the certificate from a user selected file, so it is users
    > intention to provide it to the application for his authentication.
    >
    > Thanks,
    > Jürgen
    > "Dilip Krishnan" wrote:
    >
    >> Hello Jürgen,
    >> Basically yr having a client application that your trying to run as a
    >> downloaded interenet application. Such applications are security
    >> sandboxed
    >> as "internet" applications. Which have restricted permissions as far
    >> as loading
    >> things from the hard disk etc. Assuming yr using ssl a client cert
    >> cannot
    >> get access to your certificate in your local stores. Giving just
    >> appropriate
    >> permissions should solve this problem
    >> HTH
    >> Regards,
    >> Dilip Krishnan
    >> MCAD, MCSD.net
    >> dkrishnan at geniant dot com
    >> http://www.geniant.com
    >>> Hi,
    >>>
    >>> I am implementing a IIS deployed client (Windows Forms) that
    >>> accesses
    >>> a web
    >>> service on the same server. I want to use client certificates for
    >>> authentication.
    >>> My problem is, when I call the web service with CAS "Internet"
    >>> permissions,
    >>> I'm receiving a SecurityException in a thread that seems to create
    >>> the
    >>> connection. The user selects the certificate with a OpenFileDialog
    >>> configured
    >>> for working with "Internet" permissions. I can verify the loading of
    >>> the
    >>> certificate and assigning it to the web service proxy works without
    >>> problems.
    >>> Running the same with "Full Trust" works perfect, but my customers
    >>> require
    >>> "Internet" permissions only.
    >>> What do I need to do to work arround that? If not, why is using a
    >>> client
    >>> certificate that the user manually selects a security risk (it is no
    >>> problem
    >>> for Internet Explorer to do that)?
    >>> Thank you in advance,
    >>> Jürgen
    >>>
     
    Dilip Krishnan, Jan 13, 2005
    #4
  5. Hello Dilip,

    I can open any file for read access under "Internet" permissions if I use
    the OpenFileDialog and ask the user to select one for me. This way I would be
    able to read and use whatever the user allows me to. Why is that less
    dangerous then using a client certificate from a file (exported from the
    local certificate store)?
    Reading the documentation about the WebService.htc I am supposed to be able
    to use client certificates if I call the web service from DHTML without
    changing settings on my IE.
    Is there a way to share the already established SSL connection from IE with
    my .NET client?

    Thanks,
    Jürgen

    "Dilip Krishnan" wrote:

    > Hello Jürgen,
    >
    > Yes IE can access it because its a program running on yr local machine
    > (read trusted). But since yr .net client is running under "Internet" permissions,
    > it doesnt have permissions to do the same function as IE. Think of it as
    > a java applet (read "Internet" permissioned app) running on yr browser, it
    > will not have access to delete a file on your hard drive would it?
    >
    > HTH
    > Regards,
    > Dilip Krishnan
    > MCAD, MCSD.net
    > dkrishnan at geniant dot com
    > http://www.geniant.com
     
    Jürgen Laude, Jan 14, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mfenetre
    Replies:
    11
    Views:
    1,647
    Joe Kaplan \(MVP - ADSI\)
    Oct 12, 2005
  2. Jürgen Laude

    Client Certificate and Code Access Security

    Jürgen Laude, Jan 13, 2005, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    132
    Jürgen Laude
    Jan 13, 2005
  3. Jürgen Laude

    Client Certificate and Code Access Security

    Jürgen Laude, Jan 13, 2005, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    84
    Jürgen Laude
    Jan 13, 2005
  4. Helena Cai
    Replies:
    0
    Views:
    401
    Helena Cai
    Aug 29, 2004
  5. Replies:
    0
    Views:
    415
Loading...

Share This Page