Simple authentication and authorization between applications?

Discussion in 'ASP .Net Web Services' started by Jakob Lithner, Apr 9, 2008.

  1. I will develop a new .Net 3.5 application that will have a webservice
    interface that will be called by a couple of external systems developed in
    ..Net 2.0 or later.

    The applications are all on our intranet and security has so far not been a
    priority. Previously we have used direct calls to SQL stored procedures with
    SQL login.

    The initial idea was to send application name and password on each method
    call and verify against SQL datatable. But I do realize this is neither
    elegant nor very secure.

    Can you give me some suggestions on mechanisms that will provide a slightly
    better security? What are the general alternatives here? The number of
    external systems calling are 3-5 and will be relatively static.
    Jakob Lithner, Apr 9, 2008
    #1
    1. Advertising

  2. Hi jaklithn,

    Based on your description, you want to expose an ASP.NET webservice which
    will be called by 3--5 clients in the same local intranet. Also, since the
    webservice will connect SQL Server to execute query(require
    authentication), you're looking for an effecient means to authenticate
    those webservice clients, correct?

    If so, I think for the webservice server-side (which connect backend
    database), I think you can always use a fixed domain account to run it so
    that I can have the sufficient permission in SQL server.

    For client-side, you can consider either of the following authentication
    approaches:

    1. Use the built-in authentication support of WebRequest (the .NET
    webservice client proxy is actually using webrequest component) which has
    "Credentials" property to allow to set client credentials info. When the
    client-side call webservice, it can supply the credentials when creating
    the proxy:

    #Implementing NTLM Authentication for Your ASP.NET Web Services
    http://www.dotnetjunkies.com/Article/6B31D299-347C-4B85-82C5-954546165C80.dc
    ik

    In your web service application you can configure windows authentication
    and only allow certain fixed accounts to access the webservice.

    2. Or you can use SoapHeader to add your own authentication properties
    (such as username/password) that will be passed through SOAP headers.
    SoapHeaders can be set on proxy at intialization time rather than set in
    each webmethod call. Here is a code project aritcle introduce this:

    #Authentication for Web Services (using SOAP headers)
    http://www.codeproject.com/KB/cpp/authforwebservices.aspx

    Some other information about ASP.NET webservice authentication over http:

    #HTTP Security and ASP.NET Web Services
    http://msdn2.microsoft.com/en-us/library/ms996415.aspx

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    >From: =?Utf-8?B?SmFrb2IgTGl0aG5lcg==?= <>
    >Subject: Simple authentication and authorization between applications?
    >Date: Wed, 9 Apr 2008 00:10:00 -0700


    >I will develop a new .Net 3.5 application that will have a webservice
    >interface that will be called by a couple of external systems developed in
    >.Net 2.0 or later.
    >
    >The applications are all on our intranet and security has so far not been

    a
    >priority. Previously we have used direct calls to SQL stored procedures

    with
    >SQL login.
    >
    >The initial idea was to send application name and password on each method
    >call and verify against SQL datatable. But I do realize this is neither
    >elegant nor very secure.
    >
    >Can you give me some suggestions on mechanisms that will provide a

    slightly
    >better security? What are the general alternatives here? The number of
    >external systems calling are 3-5 and will be relatively static.
    >
    >
    Steven Cheng [MSFT], Apr 9, 2008
    #2
    1. Advertising

  3. Thanks for your answer.
    I have read your links and tried a couple of solutions, but I am not really
    satisfied with any of them.

    NTLM Authentication is not an option as we have no NT identities to use.

    Certificates are overkill for my scenario.

    I don't really see the point of using SoapHeaders instead of basic
    authentication. The password is still sent readable.

    I tried SoapHeaders with encrypted values for User and Password, but I guess
    it is no real increase in security. If the values are sniffed they can just
    easily be copied in their encrypted form. Attacking users will not know the
    values but they can still be used to login.

    To increase security I should need a temporary key to scramble them with,
    like current date/time, IP number, MachineName etc.
    Date is a bit unsecure as I can never ensure client is time synchronized
    with server, and to my great surprise I also found out that client IP number
    and MachineName is not detectable from the server like on other ASP.Net web
    calls. This is coming in future version.

    My conclusion is the same as every time I look into security: It is really
    not worth the trouble, so I stick to simple passwords sent in plain text. I
    know it is very pessimistic and will probably cause indignation from all
    serious experts, but if there are no good alternatives with reasonable
    effort, explained in good examples, this will still be my way.

    I believe there are good techniques to increase security. I think the
    problem is mainly pedagogical.
    Jakob Lithner, Apr 14, 2008
    #3
  4. Thanks for your reply jaklithn,

    Yes, NTLM will require a windows local network environment and. And
    SoapHeaders are sent as plainText, the only different between basic
    authentication is that SOAP header based authentication can be customized
    on server-side, let you choose different account database(from your own
    database). While basic authentication is done at IIS which will use windows
    account to authenticate the credentials.

    For security, yes, simply encrypt the credentials is not enough. When
    security is important for your webservice, you need some more sophisticated
    secure approach. For example, using the .NET WSE(which implement the latest
    WS-* security specs) to equipe your webservice. It provide message layer
    secuirty support that can ensure integrity and confidentiality of your
    webservice SOAP message.

    If you have interests to have a look, currently. for .NET 2.0, the
    corresponding WSE is version 3.0:

    #Security Features in WSE 3.0
    http://msdn2.microsoft.com/en-us/magazine/cc300773.aspx

    #What's New in Web Services Enhancements (WSE) 3.0
    http://msdn2.microsoft.com/en-us/library/ms977317.aspx

    such security package is quite useful since implementing them ourself will
    cost huge amount of work and time.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
    >From: =?Utf-8?B?SmFrb2IgTGl0aG5lcg==?= <>
    >References: <>

    <>
    >Subject: RE: Simple authentication and authorization between applications?
    >Date: Mon, 14 Apr 2008 01:39:00 -0700


    >
    >Thanks for your answer.
    >I have read your links and tried a couple of solutions, but I am not

    really
    >satisfied with any of them.
    >
    >NTLM Authentication is not an option as we have no NT identities to use.
    >
    >Certificates are overkill for my scenario.
    >
    >I don't really see the point of using SoapHeaders instead of basic
    >authentication. The password is still sent readable.
    >
    >I tried SoapHeaders with encrypted values for User and Password, but I

    guess
    >it is no real increase in security. If the values are sniffed they can

    just
    >easily be copied in their encrypted form. Attacking users will not know

    the
    >values but they can still be used to login.
    >
    >To increase security I should need a temporary key to scramble them with,
    >like current date/time, IP number, MachineName etc.
    >Date is a bit unsecure as I can never ensure client is time synchronized
    >with server, and to my great surprise I also found out that client IP

    number
    >and MachineName is not detectable from the server like on other ASP.Net

    web
    >calls. This is coming in future version.
    >
    >My conclusion is the same as every time I look into security: It is really
    >not worth the trouble, so I stick to simple passwords sent in plain text.

    I
    >know it is very pessimistic and will probably cause indignation from all
    >serious experts, but if there are no good alternatives with reasonable
    >effort, explained in good examples, this will still be my way.
    >
    >I believe there are good techniques to increase security. I think the
    >problem is mainly pedagogical.
    >
    >
    >
    >
    Steven Cheng [MSFT], Apr 15, 2008
    #4
  5. Thanks Steve.
    WSE 3.0 is not yet accepted technology in our company, but when it will be I
    will consider using it.
    Jakob Lithner, Apr 15, 2008
    #5
  6. Thanks for your reply jaklithn,

    No problem. If you need any further information on this, welcome to post
    here.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    >From: =?Utf-8?B?SmFrb2IgTGl0aG5lcg==?= <>
    >References: <>

    <>
    <>
    <>
    >Subject: RE: Simple authentication and authorization between applications?
    >Date: Mon, 14 Apr 2008 23:22:00 -0700


    >WSE 3.0 is not yet accepted technology in our company, but when it will be

    I
    >will consider using it.
    >
    Steven Cheng [MSFT], Apr 16, 2008
    #6
  7. Can I ask you just one more minor question?

    I implemented the example found in the link you gave me:
    http://www.codeproject.com/KB/cpp/authforwebservices.aspx

    I set the authentication header and all works fine.
    But when I call the webservice once again the next call seems to forget the
    entered authentication header. It seems I need to reset the authentication
    property before every call. Is this really necessary? I know the websevice
    interaction is stateless, but I thought my local instantiation of the
    webservice object should keep its properties between method calls.
    Jakob Lithner, Apr 16, 2008
    #7
  8. Sorry for the previous post, it was my mistake.

    I forgot to update my local web reference after I added the Authentication
    attribute to all web methods. I thought the Authentication property value was
    always included in the call and the attribute only checked its presence. But
    it seems the attribute decides if the authentication property should be
    included in the call.

    It now works as expected :)
    Jakob Lithner, Apr 16, 2008
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Saunders
    Replies:
    1
    Views:
    653
    John Saunders
    Nov 18, 2003
  2. Guest
    Replies:
    1
    Views:
    849
    Kevin Spencer
    May 19, 2005
  3. praba kar
    Replies:
    2
    Views:
    840
    Paul Rubin
    May 4, 2005
  4. Scott
    Replies:
    0
    Views:
    288
    Scott
    Apr 24, 2007
  5. SeanRW
    Replies:
    1
    Views:
    348
    Dominick Baier [DevelopMentor]
    May 25, 2006
Loading...

Share This Page