Client Certificate and Code Access Security

Discussion in 'ASP .Net Web Services' started by Jürgen Laude, Jan 13, 2005.

  1. Hi,

    I am implementing a IIS deployed client (Windows Forms) that accesses a web
    service on the same server. I want to use client certificates for
    authentication.
    My problem is, when I call the web service with CAS "Internet" permissions,
    I'm receiving a SecurityException in a thread that seems to create the
    connection. The user selects the certificate with a OpenFileDialog configured
    for working with "Internet" permissions. I can verify the loading of the
    certificate and assigning it to the web service proxy works without problems.
    Running the same with "Full Trust" works perfect, but my customers require
    "Internet" permissions only.
    What do I need to do to work arround that? If not, why is using a client
    certificate that the user manually selects a security risk (it is no problem
    for Internet Explorer to do that)?

    Thank you in advance,

    Jürgen
     
    Jürgen Laude, Jan 13, 2005
    #1
    1. Advertisements

  2. Hello Jürgen,
    Basically yr having a client application that your trying to run as a
    downloaded interenet application. Such applications are security sandboxed
    as "internet" applications. Which have restricted permissions as far as loading
    things from the hard disk etc. Assuming yr using ssl a client cert cannot
    get access to your certificate in your local stores. Giving just appropriate
    permissions should solve this problem

    HTH
    Regards,
    Dilip Krishnan
    MCAD, MCSD.net
    dkrishnan at geniant dot com
    http://www.geniant.com
     
    Dilip Krishnan, Jan 13, 2005
    #2
    1. Advertisements

  3. Hello Dilip,

    Changing permissions on the client side is not an option for my customers.
    Why am I able to use client side certificates in the internet zone with my
    default internet explorer settings for web pages, but not from a .NET
    application for web services? Browsing the asmx page works with the client
    certificate, because IE is pulling it from the store. I understand that a
    ..NET app should not be allowed to access a users certificate store without
    his knowledge, but the client is receiving the certificate from a user
    selected file, so it is users intention to provide it to the application for
    his authentication.

    Thanks,
    Jürgen
     
    Jürgen Laude, Jan 13, 2005
    #3
  4. Hello Jürgen,

    Yes IE can access it because its a program running on yr local machine
    (read trusted). But since yr .net client is running under "Internet" permissions,
    it doesnt have permissions to do the same function as IE. Think of it as
    a java applet (read "Internet" permissioned app) running on yr browser, it
    will not have access to delete a file on your hard drive would it?

    HTH
    Regards,
    Dilip Krishnan
    MCAD, MCSD.net
    dkrishnan at geniant dot com
    http://www.geniant.com
     
    Dilip Krishnan, Jan 13, 2005
    #4
  5. Hello Dilip,

    I can open any file for read access under "Internet" permissions if I use
    the OpenFileDialog and ask the user to select one for me. This way I would be
    able to read and use whatever the user allows me to. Why is that less
    dangerous then using a client certificate from a file (exported from the
    local certificate store)?
    Reading the documentation about the WebService.htc I am supposed to be able
    to use client certificates if I call the web service from DHTML without
    changing settings on my IE.
    Is there a way to share the already established SSL connection from IE with
    my .NET client?

    Thanks,
    Jürgen
     
    Jürgen Laude, Jan 14, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.