calling a web service protected by RSA SecurID

[ajfish]

Hi,

my client has an extranet IIS web server protected by RSA SecurID.
it's running my asp.net 1.1 application. when they use the web app
from a browser they have to log in to RSA, then they see the login
screen for our application (forms authentication) and everything is
fine.

however, when they use our winforms client application to access a web
service (which is part of the same web app), it doesn't work. we are
handling HTTP 401 responses correctly in the windows client but I
guess SecurID is not using this mechanism.

anyone know how I can get a .Net 1.1 winforms application to connect
to a web service that is proected by SecurID

TIA for any thoughts.

Andy

 

[Joe Kaplan]

You can't really do this in a standards-based way. The forms auth done by
SecurID doesn't use any of the standard HTTP transport level security
protocols like Basic, Digest or Integrated auth and doesn't correspond with
the WS-Security specification for doing message level security.

My overally assessment is that the authentication mechanism in use on the
website is inappropriate for use with programmatic agents like web services.
You should consider changing that. However, if it is not an option, you'll
likely need to implement a proprietary mechanism to handle the SecurID auth
and then add the required cookie programmatically to your web service proxy
class. I've seen that done before, although I can't tell you exactly how
you'll go about doing that in this case as each forms auth mechanism is a
little different. You'll need to reverse engineer the form post and figure
out how to collect the required cookie from the server's response.

Good luck!

Joe K.

 

[Nick Owen - GardenToDo.com]

You can't really do this in a standards-based way. The forms auth done by
SecurID doesn't use any of the standard HTTP transport level security
protocols like Basic, Digest or Integrated auth and doesn't correspond with
the WS-Security specification for doing message level security.

My overally assessment is that the authentication mechanism in use on the
website is inappropriate for use with programmatic agents like web services.
You should consider changing that. However, if it is not an option, you'll
likely need to implement a proprietary mechanism to handle the SecurID auth
and then add the required cookie programmatically to your web service proxy
class. I've seen that done before, although I can't tell you exactly how
you'll go about doing that in this case as each forms auth mechanism is a
little different. You'll need to reverse engineer the form post and figure
out how to collect the required cookie from the server's response.

Good luck!

Joe K.

Just a thought: Can you get the web service to use Radius? It should
be simple to get IIS to use radius as well.

HTH,

Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication

 

[ajfish]

Thanks joe (and nick) for the replies

unfortunately I work for an ISV and this issue is being reported by a
customer, so we don't have any control over their security
infrastructure.

it looks like RSA do have some APIs but these are available only to
direct customers or if we spend $10k on an API support contract.

so at least we have a couple of possible ways forward. even if neither
of them are ideal

Andy