Web Service Security

[Bob]

Hi,
I have read the other posts here on this subject but I am still unsure of
the best way to approach my situation.
I am new to web security and web programming in general.
I have a web service and a thick client and a Standalone Root certificate
server.
The thick client will be installed on our client's machine and access the
web service (https) over the internet.
The scenario I want is to turn up at the clients site, install the thick
client. and install a certificate generated by the Certificate server.
I want to end up where the web service will not accept access unless the
client certificate is supplied.
i.e. Won't supply WSDL, nothing, immediate 403 access forbidden

I think I am fairly well along the path but I have a problem.
At site level I can set directory security to 'require client certificate'
but if I set the asmx file level security to 'require client certificate' I
get 403 access forbidden. Maybe I don't know how to push the certificate
with the original request?
If I relax the asmx to 'accept client certificate' I get access but so does
any test pc with out a certificate.
Is my scenario realistic?
Why doesn't just setting the site directory security to 'client
certificate required' do the job?

Thanks
Bob

 

[Joe Kaplan]

It is realistic to do this. However, you need to make sure you are
installing the client certificate properly. You can't just install a
certificate, you must install the certificate with a private key (usually
packaged as a pfx or p12 file in Windows). Have you done this?

It is probably easier to test this using a browser and navigating to the
asmx resource (use the ?wsdl to pull up the wsdl).

You also should be able to apply the "requires client cert" setting at the
directory level and have that apply to all resources in the directory. It
should not be necessary to apply it to individual resources.

Joe K.

 

[Bob]

Hi Joe,
Thank you for your reply.
I am running IIS on my Win2k Server development machine.
This machine is also the Standalone Root C.A.
The asmx file security is now set to 'ignore client certificates.'

The directory security is set to Requires client certificate
Viewing the certificate using the View Certificate button under directory
security shows "you have a private key for this certificate"
A browser on this machine is able to see the WSDL doc.

On the same LAN is a XP machine.
A browser on that machine gets a security alert that the "Security
certificate was issued by a company that you have not chosen to trust..." Do
you wish to proceed?
At which point you can click yes and display the WDSL doc.

It is this behaviour that I want to stop. Seeing I haven't installed a
client certificate on this machine I don't want it to see the WDSL doc.
I would expect "access forbidden" to occur.

It seems that I must be doing something wrong in the IIS configuration but I
can't see what.
Thanks
Bob

 

[Bob]

Hi Joe,
Just realised my terminology is wrong. When I say the WSDL doc is displayed
I am meaning that the ASMX file is accessed and it is displaying its list of
methods.
regards
Bob