Recommended way to pass identity to web service

[TS]

hello, I am wondering what is the best approach here.

I have a web application that will authenticate when making web service
calls. I want a service account to be used by the application to access
Excel Svcs. In my application, the user will be authenticated using a custom
HTTPHandler that the whole company uses and isn't modifiable, so the
application isn't doing any impersonation.

The service account will be used to access the web service. In the
application the user will be authenticated as domain\Joe. I don't want
domain\joe to be a member of the service account group (if the service
account is a group account which i don't want to have either). I will be
setting domain\joe up in sharepoint with read-only access or no access at
all, this will allow the service account to have higher privileges than
domain\joe or allow domain\joe to not have any privileges in sharepoint.

what is the best way to handle this authentication? Should the service
account credentials be retrieved from a config file and build an IPrincipal
object from it?

Note that I can use IIS for authentication as it is a windows to windows
communication.

thanks!!!

 

[Steven Cheng[MSFT]]

Hi TS,

From your description, I understand that you have an ASP.NET web
application that authenticate the client users, and it will also call
another webservice( Excel Service in sharepoint server). Currently, you're
wondering to proper way to let ASP.NET web application always use a fixed
service account to access the excel webservice regardless of the ASP.NET
web application's client authenticated user, correct?

As for this scenario, I also agree that it's better to use a fixed service
account for accessing the sharepoint EXCEL service because that can help
keep the sharepoint's authentication setting simple and consistent rather
than coupled with our front application's client user/accounts. For your
ASP.NET web application, I think you can cconsider the following means when
use a fixed account to access the excel webservice:

1. Since your ASP.NET application(hosting in IIS) are running under a
service account, for IIS6, the default one is "Network Service" that
represent the machine account in domain, you can also manually configure it
to a custom domain account. Thus, any webservice(proxy) call will also use
this credential by default, and you can simply configure this account to
have the permission in sharepont service.

http://msdn2.microsoft.com/en-us/library/ms998297.aspx


2. You can also manually create a "NetworkCredential" instance(via clear
text username/password pair) and attach to your webservice proxy before
calling webmethods. Thus, you can dynamically supply a certain account at
runtime via code, the drawback is that you need to keep the clear text
username/password somewhere(e.g. in web.config file).

http://msdn2.microsoft.com/en-us/library/bfazk0tb.aspx

How do you think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[TS]

yes, you are correct. the solutions you suggest are two ways i can use.

In my scenario i will have a service agent that will be used by many
different client applications to access excel services. each application
will have its own permission sets and clientA wouldn't want clientB to be
able to view their spreadsheets. IF i use a single service account, i guess
i would have to handle the authentication/authorization in the service
agent.

1. How would i approach this?

I could instead have a separate account for each application to authenticate
with excel services with, so each client would use their own specific
service account. I think i would still have to authenticate/authorize the
client in my service agent.

2. How do i do this?

3. Should I do 1 or 2 and why?

thanks!!!

 

[Steven Cheng[MSFT]]

Thanks for your reply TS,

Now I've got that your concern is that the webservice and your proxy
component will be called by multiple client applications and you want each
of them only have the permission to view their own document in the MOSS
(through excel service).

I've also discussed this with some SPS engineers and here are some of our
suggestion:

1. If you want to use the SPS security, then you can just configure the
document permission for those excel document in the SPS server(just like
you configure permission of other document in sharepoint document library).
And when you use webservice to access teh excel service document, it will
also perform authorization based on the document library's permission
setting. So each of your client application will use its own domain account
to access the document library:

#Plan Excel Services security
http://technet2.microsoft.com/Office/en-us/library/a49883a7-de84-4a66-8fa0-7
c7d125f237b1033.mspx?mfr=true

#Manage permissions for a list, library, folder, document, or list item
http://office.microsoft.com/en-us/help/HA100215641033.aspx

http://www.sharepointblogs.com/ssofian/archive/2006/07/28/9532.aspx


2. If you still want to use a single fixed accoutn for access the excel
service, that account should have permission in SPS to access all those
excel files. And for different clients, we do the access control in our
webservice proxy wrapper class. You can create a wrapper component class
which call the excel service proxy internally. and before call excel
service webmethod, the wrapper class can do security validation(our own
code logic) according to client application(caller)'s identity and which
document they want to access.

How do you think?


Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[TS]

for #2, if i did that i would want to make sure there was no logic hard
coded. Can you tell me the basic steps that you would do to
authenticate/authorize the client?

thanks

 

[Steven Cheng[MSFT]]

Hi TS,

For #2 that do the authorization in your webservice proxy component wapper
code, I think an intuitive approach is use a database table or a XML
configure file to record the authorization rules(such as which user can
access what set of server reports). Thus, we can perform the excel report
accessing checking in your proxy wrapper code(through the passing web
method parameters and the client user account). How do you think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[TS]

thanks, i would probably be doing an xml file.

in the scenario, the proxy wrapper is an assembly that is referenced in the
client application, so i don't think i can store it in the app.config of the
proxy wrapper assembly since it would live in the client application and be
controlled by the client application. I would think it would need to live
somewhere else. if so, any recommendation where?

 

[Steven Cheng[MSFT]]

Thanks for your reply TS,

Yes, the place of xml file does be a questioni if you want to separate it
from client application(that's why I also recommend a database approach
since that can make the storage central). Do you think it possible to use a
file share? Or if the configuration setting is readonly, you can also
expose it through a http web based url (need to secured it through
authentication/authorization) and the client application(wrapper class) can
request it (load in to memory for caching) at initalizing time, how do you
think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.