calling a web service protected by RSA SecurID

A

ajfish

Hi,

my client has an extranet IIS web server protected by RSA SecurID.
it's running my asp.net 1.1 application. when they use the web app
from a browser they have to log in to RSA, then they see the login
screen for our application (forms authentication) and everything is
fine.

however, when they use our winforms client application to access a web
service (which is part of the same web app), it doesn't work. we are
handling HTTP 401 responses correctly in the windows client but I
guess SecurID is not using this mechanism.

anyone know how I can get a .Net 1.1 winforms application to connect
to a web service that is proected by SecurID

TIA for any thoughts.

Andy
 
J

Joe Kaplan

You can't really do this in a standards-based way. The forms auth done by
SecurID doesn't use any of the standard HTTP transport level security
protocols like Basic, Digest or Integrated auth and doesn't correspond with
the WS-Security specification for doing message level security.

My overally assessment is that the authentication mechanism in use on the
website is inappropriate for use with programmatic agents like web services.
You should consider changing that. However, if it is not an option, you'll
likely need to implement a proprietary mechanism to handle the SecurID auth
and then add the required cookie programmatically to your web service proxy
class. I've seen that done before, although I can't tell you exactly how
you'll go about doing that in this case as each forms auth mechanism is a
little different. You'll need to reverse engineer the form post and figure
out how to collect the required cookie from the server's response.

Good luck!

Joe K.
 
N

Nick Owen - GardenToDo.com

You can't really do this in a standards-based way. The forms auth done by
SecurID doesn't use any of the standard HTTP transport level security
protocols like Basic, Digest or Integrated auth and doesn't correspond with
the WS-Security specification for doing message level security.

My overally assessment is that the authentication mechanism in use on the
website is inappropriate for use with programmatic agents like web services.
You should consider changing that. However, if it is not an option, you'll
likely need to implement a proprietary mechanism to handle the SecurID auth
and then add the required cookie programmatically to your web service proxy
class. I've seen that done before, although I can't tell you exactly how
you'll go about doing that in this case as each forms auth mechanism is a
little different. You'll need to reverse engineer the form post and figure
out how to collect the required cookie from the server's response.

Good luck!

Joe K.

Just a thought: Can you get the web service to use Radius? It should
be simple to get IIS to use radius as well.

HTH,

Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
 
A

ajfish

Thanks joe (and nick) for the replies

unfortunately I work for an ISV and this issue is being reported by a
customer, so we don't have any control over their security
infrastructure.

it looks like RSA do have some APIs but these are available only to
direct customers or if we spend $10k on an API support contract.

so at least we have a couple of possible ways forward. even if neither
of them are ideal

Andy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,836
Messages
2,569,748
Members
45,545
Latest member
rapter____0

Latest Threads

Top