External web service and Active Directory - which authentication type?

Discussion in 'ASP .Net' started by sqlman, May 29, 2009.

  1. sqlman

    sqlman Guest

    Windows 2008 Server, IIS 7
    ASP.NET 1.1 web service

    I have a ASP.NET 1.1 web service on the external machine for which I
    need to implement proper authentication mechanism. I have an Active
    Directory domain also in DMZ (specifically for external users), and I
    would like to use the existing user base and roles in it.

    The easiest approach seems to enable Windows authentication on the
    virtual directory of the web service, and let IIS handle
    authentication. But from what I have seen, Microsoft strongly
    discourages use of Windows authentication on the Internet.

    What are my alternatives and how would I implement them?
     
    sqlman, May 29, 2009
    #1
    1. Advertising

  2. sqlman

    DaveMo Guest

    Re: External web service and Active Directory - which authenticationtype?

    On May 29, 10:41 am, sqlman <> wrote:
    > Windows 2008 Server, IIS 7
    > ASP.NET 1.1 web service
    >
    > I have a ASP.NET 1.1 web service on the external machine for which I
    > need to implement proper authentication mechanism.  I have an Active
    > Directory domain also in DMZ (specifically for external users), and I
    > would like to use the existing user base and roles in it.
    >
    > The easiest approach seems to enable Windows authentication on the
    > virtual directory of the web service, and let IIS handle
    > authentication.  But from what I have seen, Microsoft strongly
    > discourages use of Windows authentication on the Internet.
    >
    > What are my alternatives and how would I implement them?


    The only other decent option is to use forms-based authentication. But
    really it comes down to a matter of preference for the user
    interaction during authentication. With Windows Integrated AuthN the
    user will see the dialog box provided by Windows. It's not very user
    friendly and lacks context. Also if the user forgets their password or
    needs to change it, then the user is stuck or at best confused.

    For this reason, most people go with forms-based auth for external
    authN scenarios. Good info here: http://msdn.microsoft.com/en-us/library/aa480476.aspx

    Security issues with Windows integrated auth comes mainly when users
    choose very bad passwords. This problem can be mitigated by enforcing
    strong passwords or protect the initial page in your site with HTTPS.


    HTH,
    Dave
     
    DaveMo, Jun 1, 2009
    #2
    1. Advertising

  3. sqlman

    sqlman Guest

    Re: External web service and Active Directory - which authentication type?

    On Mon, 1 Jun 2009 12:36:47 -0700 (PDT), DaveMo
    <> wrote:

    >On May 29, 10:41 am, sqlman <> wrote:
    >> Windows 2008 Server, IIS 7
    >> ASP.NET 1.1 web service
    >>
    >> I have a ASP.NET 1.1 web service on the external machine for which I
    >> need to implement proper authentication mechanism.  I have an Active
    >> Directory domain also in DMZ (specifically for external users), and I
    >> would like to use the existing user base and roles in it.
    >>
    >> The easiest approach seems to enable Windows authentication on the
    >> virtual directory of the web service, and let IIS handle
    >> authentication.  But from what I have seen, Microsoft strongly
    >> discourages use of Windows authentication on the Internet.
    >>
    >> What are my alternatives and how would I implement them?

    >
    >The only other decent option is to use forms-based authentication. But
    >really it comes down to a matter of preference for the user
    >interaction during authentication. With Windows Integrated AuthN the
    >user will see the dialog box provided by Windows. It's not very user
    >friendly and lacks context. Also if the user forgets their password or
    >needs to change it, then the user is stuck or at best confused.
    >
    >For this reason, most people go with forms-based auth for external
    >authN scenarios. Good info here: http://msdn.microsoft.com/en-us/library/aa480476.aspx
    >
    >Security issues with Windows integrated auth comes mainly when users
    >choose very bad passwords. This problem can be mitigated by enforcing
    >strong passwords or protect the initial page in your site with HTTPS.
    >
    >
    >HTH,
    >Dave


    Dave,

    I am aware of all that, but I am talking about a web service, not an
    interactive web app. So, Forms seems to be out of question.

    Thanks!
     
    sqlman, Jun 3, 2009
    #3
  4. sqlman

    DaveMo Guest

    Re: External web service and Active Directory - which authenticationtype?

    On Jun 3, 9:34 am, sqlman <> wrote:
    > On Mon, 1 Jun 2009 12:36:47 -0700 (PDT), DaveMo
    >
    >
    >
    >
    >
    > <> wrote:
    > >On May 29, 10:41 am, sqlman <> wrote:
    > >> Windows 2008 Server, IIS 7
    > >> ASP.NET 1.1 web service

    >
    > >> I have a ASP.NET 1.1 web service on the external machine for which I
    > >> need to implement proper authentication mechanism.  I have an Active
    > >> Directory domain also in DMZ (specifically for external users), and I
    > >> would like to use the existing user base and roles in it.

    >
    > >> The easiest approach seems to enable Windows authentication on the
    > >> virtual directory of the web service, and let IIS handle
    > >> authentication.  But from what I have seen, Microsoft strongly
    > >> discourages use of Windows authentication on the Internet.

    >
    > >> What are my alternatives and how would I implement them?

    >
    > >The only other decent option is to use forms-based authentication. But
    > >really it comes down to a matter of preference for the user
    > >interaction during authentication. With Windows Integrated AuthN the
    > >user will see the dialog box provided by Windows. It's not very user
    > >friendly and lacks context. Also if the user forgets their password or
    > >needs to change it, then the user is stuck or at best confused.

    >
    > >For this reason, most people go with forms-based auth for external
    > >authN scenarios. Good info here:http://msdn.microsoft.com/en-us/library/aa480476.aspx

    >
    > >Security issues with Windows integrated auth comes mainly when users
    > >choose very bad passwords. This problem can be mitigated by enforcing
    > >strong passwords or protect the initial page in your site with HTTPS.

    >
    > >HTH,
    > >Dave

    >
    > Dave,
    >
    > I am aware of all that, but I am talking about a web service, not an
    > interactive web app.  So, Forms seems to be out of question.
    >
    > Thanks!- Hide quoted text -
    >
    > - Show quoted text -


    Ahh, sorry. Missed the web service piece in my first read. For
    automated processes the choice comes down to password-based challenge
    response protocols which include NTLM and Digest. The two have
    similiar security characteristics, so I'd likely suggest NTLM.
    Otherwise you can choose client certificate authentication using X.509
    certificates. These are all out of the box mechanisms. Note that
    client cert authN requires SSL, but if you use SSL then NTLM auth is
    perfectly secure as well. It really just comes down to what your
    external customers are going to have to do to manage their credentials
    of whichever type you choose to accept. Is it easier for them to
    manage passwords or certificates?

    For completeness I should probably mention federation-based
    approaches, but knowing nothing about the external users I couldn't
    say whether that approach would be worth looking in to.
    HTH,
    Dave
     
    DaveMo, Jun 4, 2009
    #4
  5. sqlman

    sqlman Guest

    Re: External web service and Active Directory - which authentication type?

    On Thu, 4 Jun 2009 09:24:42 -0700 (PDT), DaveMo
    <> wrote:

    >On Jun 3, 9:34 am, sqlman <> wrote:
    >> On Mon, 1 Jun 2009 12:36:47 -0700 (PDT), DaveMo
    >>
    >>
    >>
    >>
    >>
    >> <> wrote:
    >> >On May 29, 10:41 am, sqlman <> wrote:
    >> >> Windows 2008 Server, IIS 7
    >> >> ASP.NET 1.1 web service

    >>
    >> >> I have a ASP.NET 1.1 web service on the external machine for which I
    >> >> need to implement proper authentication mechanism.  I have an Active
    >> >> Directory domain also in DMZ (specifically for external users), and I
    >> >> would like to use the existing user base and roles in it.

    >>
    >> >> The easiest approach seems to enable Windows authentication on the
    >> >> virtual directory of the web service, and let IIS handle
    >> >> authentication.  But from what I have seen, Microsoft strongly
    >> >> discourages use of Windows authentication on the Internet.

    >>
    >> >> What are my alternatives and how would I implement them?

    >>
    >> >The only other decent option is to use forms-based authentication. But
    >> >really it comes down to a matter of preference for the user
    >> >interaction during authentication. With Windows Integrated AuthN the
    >> >user will see the dialog box provided by Windows. It's not very user
    >> >friendly and lacks context. Also if the user forgets their password or
    >> >needs to change it, then the user is stuck or at best confused.

    >>
    >> >For this reason, most people go with forms-based auth for external
    >> >authN scenarios. Good info here:http://msdn.microsoft.com/en-us/library/aa480476.aspx

    >>
    >> >Security issues with Windows integrated auth comes mainly when users
    >> >choose very bad passwords. This problem can be mitigated by enforcing
    >> >strong passwords or protect the initial page in your site with HTTPS.

    >>
    >> >HTH,
    >> >Dave

    >>
    >> Dave,
    >>
    >> I am aware of all that, but I am talking about a web service, not an
    >> interactive web app.  So, Forms seems to be out of question.
    >>
    >> Thanks!- Hide quoted text -
    >>
    >> - Show quoted text -

    >
    >Ahh, sorry. Missed the web service piece in my first read. For
    >automated processes the choice comes down to password-based challenge
    >response protocols which include NTLM and Digest. The two have
    >similiar security characteristics, so I'd likely suggest NTLM.
    >Otherwise you can choose client certificate authentication using X.509
    >certificates. These are all out of the box mechanisms. Note that
    >client cert authN requires SSL, but if you use SSL then NTLM auth is
    >perfectly secure as well. It really just comes down to what your
    >external customers are going to have to do to manage their credentials
    >of whichever type you choose to accept. Is it easier for them to
    >manage passwords or certificates?
    >
    >For completeness I should probably mention federation-based
    >approaches, but knowing nothing about the external users I couldn't
    >say whether that approach would be worth looking in to.
    >HTH,
    >Dave


    Dave,

    The whole point of this is to use the Active Directory to manage
    users, and let them get authenticated against it. From what I gather,
    client certificates lead to something else.

    I am also still confused: what is wrong with using Windows
    authentication (with SSL or not), and how is it inferior to NTLM or
    Digest?

    Thanks!
     
    sqlman, Jun 8, 2009
    #5
  6. sqlman

    DaveMo Guest

    Re: External web service and Active Directory - which authenticationtype?

    On Jun 8, 10:45 am, sqlman <> wrote:
    > On Thu, 4 Jun 2009 09:24:42 -0700 (PDT), DaveMo
    >
    >
    >
    >
    >
    > <> wrote:
    > >On Jun 3, 9:34 am, sqlman <> wrote:
    > >> On Mon, 1 Jun 2009 12:36:47 -0700 (PDT), DaveMo

    >
    > >> <> wrote:
    > >> >On May 29, 10:41 am, sqlman <> wrote:
    > >> >> Windows 2008 Server, IIS 7
    > >> >> ASP.NET 1.1 web service

    >
    > >> >> I have a ASP.NET 1.1 web service on the external machine for which I
    > >> >> need to implement proper authentication mechanism.  I have an Active
    > >> >> Directory domain also in DMZ (specifically for external users), and I
    > >> >> would like to use the existing user base and roles in it.

    >
    > >> >> The easiest approach seems to enable Windows authentication on the
    > >> >> virtual directory of the web service, and let IIS handle
    > >> >> authentication.  But from what I have seen, Microsoft strongly
    > >> >> discourages use of Windows authentication on the Internet.

    >
    > >> >> What are my alternatives and how would I implement them?

    >
    > >> >The only other decent option is to use forms-based authentication. But
    > >> >really it comes down to a matter of preference for the user
    > >> >interaction during authentication. With Windows Integrated AuthN the
    > >> >user will see the dialog box provided by Windows. It's not very user
    > >> >friendly and lacks context. Also if the user forgets their password or
    > >> >needs to change it, then the user is stuck or at best confused.

    >
    > >> >For this reason, most people go with forms-based auth for external
    > >> >authN scenarios. Good info here:http://msdn.microsoft.com/en-us/library/aa480476.aspx

    >
    > >> >Security issues with Windows integrated auth comes mainly when users
    > >> >choose very bad passwords. This problem can be mitigated by enforcing
    > >> >strong passwords or protect the initial page in your site with HTTPS.

    >
    > >> >HTH,
    > >> >Dave

    >
    > >> Dave,

    >
    > >> I am aware of all that, but I am talking about a web service, not an
    > >> interactive web app.  So, Forms seems to be out of question.

    >
    > >> Thanks!- Hide quoted text -

    >
    > >> - Show quoted text -

    >
    > >Ahh, sorry. Missed the web service piece in my first read. For
    > >automated processes the choice comes down to password-based challenge
    > >response protocols which include NTLM and Digest. The two have
    > >similiar security characteristics, so I'd likely suggest NTLM.
    > >Otherwise you can choose client certificate authentication using X.509
    > >certificates. These are all out of the box mechanisms. Note that
    > >client cert authN requires SSL, but if you use SSL then NTLM auth is
    > >perfectly secure as well. It really just comes down to what your
    > >external customers are going to have to do to manage their credentials
    > >of whichever type you choose to accept. Is it easier for them to
    > >manage passwords or certificates?

    >
    > >For completeness I should probably mention federation-based
    > >approaches, but knowing nothing about the external users I couldn't
    > >say whether that approach would be worth looking in to.
    > >HTH,
    > >Dave

    >
    > Dave,
    >
    > The whole point of this is to use the Active Directory to manage
    > users, and let them get authenticated against it. From what I gather,
    > client certificates lead to something else.
    >
    > I am also still confused: what is wrong with using Windows
    > authentication (with SSL or not), and how is it inferior to NTLM or
    > Digest?
    >
    > Thanks!- Hide quoted text -
    >
    > - Show quoted text -


    Windows authentication includes both Kerberos and NTLM authentication.
    Kerb won't work in your scenario, so Windows authentication = NTLM.

    Client certificates can be used to authenticate users in Active
    Directory. Everything I've mentioned so far is a way to authenticate
    AD users, so it's up to you to pick the option you like the best.

    Dave
     
    DaveMo, Jun 11, 2009
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?R2VpciBTYW5uZQ==?=

    web service authentication with active directory

    =?Utf-8?B?R2VpciBTYW5uZQ==?=, Mar 14, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    3,913
    =?Utf-8?B?R2VpciBTYW5uZQ==?=
    Mar 15, 2005
  2. Isaias Formacio Serna

    Web Service that calls an external Web Service

    Isaias Formacio Serna, Jan 28, 2004, in forum: ASP .Net Security
    Replies:
    5
    Views:
    252
  3. ejcosta
    Replies:
    2
    Views:
    880
    Eurico Costa
    Oct 8, 2004
  4. BizSolutions

    Web Application Authentication - Active Directory and SQL

    BizSolutions, Sep 17, 2008, in forum: ASP .Net Security
    Replies:
    1
    Views:
    958
    Alexey Smirnov
    Sep 21, 2008
  5. sqlman
    Replies:
    5
    Views:
    1,233
    DaveMo
    Jun 11, 2009
Loading...

Share This Page