web service security w/ mixed mode auth - seeking advice

Discussion in 'ASP .Net Security' started by MR, Nov 28, 2005.

  1. MR

    MR Guest

    Hello,

    I'm using the .NET 2.0 platform to created a distributed application
    with a Winforms client application connecting to a web service layer. I
    would like the client to be able to pass username/password auth
    credentials to the web service, which could then be validated against a
    local database OR, optionally, against Windows Active Directory. A flag
    within the user database would determine whether a particular user is
    authed against the DB or AD.

    It seems trivial to implement either forms authentication or Windows
    authentication, but not so trivial when you want to allow either to
    work. It seems to me that the only solution is to accept the
    username/password credentials from the user, encrypt them on the
    client, send them to the web service layer, decrypt, then apply them.

    The challenge then becomes one of managing the encryption on the
    client/server, and where to store the common encryption key
    information. Dropping this data into a common assembly seems dangerous,
    and I'm struggling to find a better solution.

    Am I overlooking a better overall approach?

    - MR
     
    MR, Nov 28, 2005
    #1
    1. Advertising

  2. Hello MR,

    have a look at WSE3 - Microsoft's implemenation of WS-Security - or use SSL.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello,
    >
    > I'm using the .NET 2.0 platform to created a distributed application
    > with a Winforms client application connecting to a web service layer.
    > I would like the client to be able to pass username/password auth
    > credentials to the web service, which could then be validated against
    > a local database OR, optionally, against Windows Active Directory. A
    > flag within the user database would determine whether a particular
    > user is authed against the DB or AD.
    >
    > It seems trivial to implement either forms authentication or Windows
    > authentication, but not so trivial when you want to allow either to
    > work. It seems to me that the only solution is to accept the
    > username/password credentials from the user, encrypt them on the
    > client, send them to the web service layer, decrypt, then apply them.
    >
    > The challenge then becomes one of managing the encryption on the
    > client/server, and where to store the common encryption key
    > information. Dropping this data into a common assembly seems
    > dangerous, and I'm struggling to find a better solution.
    >
    > Am I overlooking a better overall approach?
    >
    > - MR
    >
     
    Dominick Baier [DevelopMentor], Nov 28, 2005
    #2
    1. Advertising

  3. MR

    MR Guest

    Hi Dominick,

    I took a brief look at WSE3, but it wasn't clear to me how it would
    allow for the type of configuration I described above. Since the
    product is so new, the documentation still seems to be lacking a bit,
    but I'll have a closer look.

    I think using transport layer security (SSL) makes a good deal of sense
    - then I wouldn't need to worry about encrypting the auth credentials
    when communicating with the web service.

    So far I've been using the built-in "mini web server" that ships with
    VS2005 / ASP.NET 2.0 to develop my web service. I assume I'll have to
    switch to IIS in order to enable SSL,. eh?

    Thanks for your time and consideration.

    - MR
     
    MR, Nov 28, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    760
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    611
    Elton Wang
    Jan 8, 2005
  3. Mark Chai
    Replies:
    1
    Views:
    754
    Christophe Vanfleteren
    Oct 1, 2003
  4. Chris Mohan

    Configuring Windows Auth & Forms Auth in Asp.Net

    Chris Mohan, Apr 28, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    476
    Chris Mohan
    Apr 29, 2004
  5. Des Norton

    Newbie - Mixed Mode Security

    Des Norton, Sep 29, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    117
    Des Norton
    Sep 30, 2004
Loading...

Share This Page