C
Christer
Hi everybody!
I've been browsing several posts now discussing the problem of sending
user credentials across several servers. Allthough many of them
actually gives an answer I would like your response on both the issue
and furthermore other ways to secure my web services. Here we go:
We've have encountered HTTP status 401: Unauthorized in a Intranet
scenario resembling this setup:
Browser (machine1) -> asp.net Web application (machine1) -> asp.net
web services applikation (machine3).
machine2 asp.net application has identity impersonation set to true,
and both machine2 and machine3 disallows anonymous requests and both
requires windows authentication.
When using the web application locally on machine2, user credentials
are transferred to machine3 and everything works properly. But when
using the setup described above, the credentials is not transferred.
Here's a snippet of code placed on machine2.
Mynamespace.Service webservice = new
Mynamespace.Service("http://urltoserver/service.asmx");
webservice.Credentials =
System.Net.CredentialCache.DefaultCredentials;
webservice.NyAnnonce(overskrift, beskrivelse, kategori, pris,
enddate);
As you can see, I supply the default credentials.
A good explanation is given here:
<<http://groups.google.com/groups?hl=da&lr=&ie=UTF-8&oe=UTF-8&selm=OUaCPn2rBHA.2520@tkmsftngp04>>
(Watch out for line break)
It seems there's no way for us to ensure, via windows authentication
and delegation, that the user is who he claims to be. We could, of
course, expand the function with an input parameter, in which the user
name could be set. But this exposes the web service and gives a
possibility to insert another user name.
How do the rest of you, who are making Intranet web services that
needs the correct usernames etc. come about securing these services???
What system design do you use?
Knd regards
Christer
I've been browsing several posts now discussing the problem of sending
user credentials across several servers. Allthough many of them
actually gives an answer I would like your response on both the issue
and furthermore other ways to secure my web services. Here we go:
We've have encountered HTTP status 401: Unauthorized in a Intranet
scenario resembling this setup:
Browser (machine1) -> asp.net Web application (machine1) -> asp.net
web services applikation (machine3).
machine2 asp.net application has identity impersonation set to true,
and both machine2 and machine3 disallows anonymous requests and both
requires windows authentication.
When using the web application locally on machine2, user credentials
are transferred to machine3 and everything works properly. But when
using the setup described above, the credentials is not transferred.
Here's a snippet of code placed on machine2.
Mynamespace.Service webservice = new
Mynamespace.Service("http://urltoserver/service.asmx");
webservice.Credentials =
System.Net.CredentialCache.DefaultCredentials;
webservice.NyAnnonce(overskrift, beskrivelse, kategori, pris,
enddate);
As you can see, I supply the default credentials.
A good explanation is given here:
<<http://groups.google.com/groups?hl=da&lr=&ie=UTF-8&oe=UTF-8&selm=OUaCPn2rBHA.2520@tkmsftngp04>>
(Watch out for line break)
It seems there's no way for us to ensure, via windows authentication
and delegation, that the user is who he claims to be. We could, of
course, expand the function with an input parameter, in which the user
name could be set. But this exposes the web service and gives a
possibility to insert another user name.
How do the rest of you, who are making Intranet web services that
needs the correct usernames etc. come about securing these services???
What system design do you use?
Knd regards
Christer