Help needed in finding the right place to start

[David Haynes]

I would appreciate some pointers to the correct place to start learning
how to achieve the following:

1. I have a web service (SOAP) that needs to be authenticated prior to use.
2. The authentication is of the form: login and password
3. I want to be able to:
a) authenticate the login/password using windows authentication
b) authenticate the login/password using active directory
I cannot use a separate database or config file for this.
4. Based on the authentication, I want to pick up the user's roles.

I am using C# and .NET 2.0.

Ideally, I would like to find an object that lets me pass in a
login/password and get a true/false on the authentication and, if true,
lets me obtain the roles for that account.

I *think* I should be able to do this using Forms authentication but I
cannot see how to supply the login/password (other than my own) to get
things started.

Pointers? Tips?

Thanks
-david-

 

[Joe Kaplan \(MVP - ADSI\)]

You generally never want to use forms auth with a web service, as forms auth
is intended for end user/browser interaction, not for programmatic access.

There are generally two ways to do this:
- Transport level security (using the authentication features built into
IIS)
- Message level security (using a framework like WSE3 or something)

Transport level security is generally easy to implement and is well
supported by most clients (usually with no significant changes), so that's
your path of least resistance. If your server is joined to the AD domain,
IIS can already use transport security (Basic, Digest or IWA). You just
turn it on. If you use Basic auth, you really have to use SSL as well,
although you should probably consider doing that anyway. Which one you use
will depend a little bit on your clients and other factors.

If you want to do message level security, you probably just want to start
looking into WSE3 (unless you can work with a beta of WCF).

Joe K.