Simple authentication and authorization between applications?

[Jakob Lithner]

I will develop a new .Net 3.5 application that will have a webservice
interface that will be called by a couple of external systems developed in
..Net 2.0 or later.

The applications are all on our intranet and security has so far not been a
priority. Previously we have used direct calls to SQL stored procedures with
SQL login.

The initial idea was to send application name and password on each method
call and verify against SQL datatable. But I do realize this is neither
elegant nor very secure.

Can you give me some suggestions on mechanisms that will provide a slightly
better security? What are the general alternatives here? The number of
external systems calling are 3-5 and will be relatively static.

 

[Steven Cheng [MSFT]]

Hi jaklithn,

Based on your description, you want to expose an ASP.NET webservice which
will be called by 3--5 clients in the same local intranet. Also, since the
webservice will connect SQL Server to execute query(require
authentication), you're looking for an effecient means to authenticate
those webservice clients, correct?

If so, I think for the webservice server-side (which connect backend
database), I think you can always use a fixed domain account to run it so
that I can have the sufficient permission in SQL server.

For client-side, you can consider either of the following authentication
approaches:

1. Use the built-in authentication support of WebRequest (the .NET
webservice client proxy is actually using webrequest component) which has
"Credentials" property to allow to set client credentials info. When the
client-side call webservice, it can supply the credentials when creating
the proxy:

#Implementing NTLM Authentication for Your ASP.NET Web Services
http://www.dotnetjunkies.com/Article/6B31D299-347C-4B85-82C5-954546165C80.dc
ik

In your web service application you can configure windows authentication
and only allow certain fixed accounts to access the webservice.

2. Or you can use SoapHeader to add your own authentication properties
(such as username/password) that will be passed through SOAP headers.
SoapHeaders can be set on proxy at intialization time rather than set in
each webmethod call. Here is a code project aritcle introduce this:

#Authentication for Web Services (using SOAP headers)
http://www.codeproject.com/KB/cpp/authforwebservices.aspx

Some other information about ASP.NET webservice authentication over http:

#HTTP Security and ASP.NET Web Services
http://msdn2.microsoft.com/en-us/library/ms996415.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------

 

[Jakob Lithner]

Thanks for your answer.
I have read your links and tried a couple of solutions, but I am not really
satisfied with any of them.

NTLM Authentication is not an option as we have no NT identities to use.

Certificates are overkill for my scenario.

I don't really see the point of using SoapHeaders instead of basic
authentication. The password is still sent readable.

I tried SoapHeaders with encrypted values for User and Password, but I guess
it is no real increase in security. If the values are sniffed they can just
easily be copied in their encrypted form. Attacking users will not know the
values but they can still be used to login.

To increase security I should need a temporary key to scramble them with,
like current date/time, IP number, MachineName etc.
Date is a bit unsecure as I can never ensure client is time synchronized
with server, and to my great surprise I also found out that client IP number
and MachineName is not detectable from the server like on other ASP.Net web
calls. This is coming in future version.

My conclusion is the same as every time I look into security: It is really
not worth the trouble, so I stick to simple passwords sent in plain text. I
know it is very pessimistic and will probably cause indignation from all
serious experts, but if there are no good alternatives with reasonable
effort, explained in good examples, this will still be my way.

I believe there are good techniques to increase security. I think the
problem is mainly pedagogical.

 

[Steven Cheng [MSFT]]

Thanks for your reply jaklithn,

Yes, NTLM will require a windows local network environment and. And
SoapHeaders are sent as plainText, the only different between basic
authentication is that SOAP header based authentication can be customized
on server-side, let you choose different account database(from your own
database). While basic authentication is done at IIS which will use windows
account to authenticate the credentials.

For security, yes, simply encrypt the credentials is not enough. When
security is important for your webservice, you need some more sophisticated
secure approach. For example, using the .NET WSE(which implement the latest
WS-* security specs) to equipe your webservice. It provide message layer
secuirty support that can ensure integrity and confidentiality of your
webservice SOAP message.

If you have interests to have a look, currently. for .NET 2.0, the
corresponding WSE is version 3.0:

#Security Features in WSE 3.0
http://msdn2.microsoft.com/en-us/magazine/cc300773.aspx

#What's New in Web Services Enhancements (WSE) 3.0
http://msdn2.microsoft.com/en-us/library/ms977317.aspx

such security package is quite useful since implementing them ourself will
cost huge amount of work and time.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

From: =?Utf-8?B?SmFrb2IgTGl0aG5lcg==?= <[email protected]>
References: <[email protected]>

 

[Jakob Lithner]

Thanks Steve.
WSE 3.0 is not yet accepted technology in our company, but when it will be I
will consider using it.

 

[Steven Cheng [MSFT]]

Thanks for your reply jaklithn,

No problem. If you need any further information on this, welcome to post
here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

From: =?Utf-8?B?SmFrb2IgTGl0aG5lcg==?= <[email protected]>
References: <[email protected]>

<[email protected]>

 

[Jakob Lithner]

Can I ask you just one more minor question?

I implemented the example found in the link you gave me:
http://www.codeproject.com/KB/cpp/authforwebservices.aspx

I set the authentication header and all works fine.
But when I call the webservice once again the next call seems to forget the
entered authentication header. It seems I need to reset the authentication
property before every call. Is this really necessary? I know the websevice
interaction is stateless, but I thought my local instantiation of the
webservice object should keep its properties between method calls.

 

[Jakob Lithner]

Sorry for the previous post, it was my mistake.

I forgot to update my local web reference after I added the Authentication
attribute to all web methods. I thought the Authentication property value was
always included in the call and the attribute only checked its presence. But
it seems the attribute decides if the authentication property should be
included in the call.

It now works as expected