web service security w/ mixed mode auth - seeking advice

[MR]

Hello,

I'm using the .NET 2.0 platform to created a distributed application
with a Winforms client application connecting to a web service layer. I
would like the client to be able to pass username/password auth
credentials to the web service, which could then be validated against a
local database OR, optionally, against Windows Active Directory. A flag
within the user database would determine whether a particular user is
authed against the DB or AD.

It seems trivial to implement either forms authentication or Windows
authentication, but not so trivial when you want to allow either to
work. It seems to me that the only solution is to accept the
username/password credentials from the user, encrypt them on the
client, send them to the web service layer, decrypt, then apply them.

The challenge then becomes one of managing the encryption on the
client/server, and where to store the common encryption key
information. Dropping this data into a common assembly seems dangerous,
and I'm struggling to find a better solution.

Am I overlooking a better overall approach?

- MR

 

[Dominick Baier [DevelopMentor]]

Hello MR,

have a look at WSE3 - Microsoft's implemenation of WS-Security - or use SSL.

 

[MR]

Hi Dominick,

I took a brief look at WSE3, but it wasn't clear to me how it would
allow for the type of configuration I described above. Since the
product is so new, the documentation still seems to be lacking a bit,
but I'll have a closer look.

I think using transport layer security (SSL) makes a good deal of sense
- then I wouldn't need to worry about encrypting the auth credentials
when communicating with the web service.

So far I've been using the built-in "mini web server" that ships with
VS2005 / ASP.NET 2.0 to develop my web service. I assume I'll have to
switch to IIS in order to enable SSL,. eh?

Thanks for your time and consideration.

- MR