simulating asp.net impersonation

  • Thread starter Thread starter TS
  • Start date Start date
T

TS

i have win app that access web services for information.I want to lock down
web services. I want to add users or groups to authorization tag to restrict
access to only a few users. The only way i know to do this is to:

add each person separetely - this means i have to maintain this section when
someone changes jobs
add group of persons needing access - this means i have to create a new
group in AD to house these specific individuals
impersonate any user who uses windows application as a single user and add
this user to authorization tag - have to write code to do this?

These are the only three options i know of, If there are others, let me
know.
Which one do you recommend

I don't have access to ad, so it would be in my power to do the
impersonation thing i was talking about.

thanks
 
Hi TS,

Welcome to MSDN newsgroup.
From your description, you have a winform app which consumes an ASP.NET
webservice. Also you'd like to protect the service from being used by
unauthenticated users. So you're currently wondering the best means to let
the client winform app attach the proper user's credential, yes?

Based on my experience, the <authorization> schema element in asp.net 's
configuration is mainly used by asp.net web application rather than asp.net
webservice(though this is also ok which can use to protect the asmx's
accessing). And this will depend on the client credential passed from the
IIS which do the authentication( basic or integrated
windows(NTLM/kerberos...) , webservice dosn't support interactive
auhentication like Forms authenticaiton). OK, then as for how to provide
such credential at clientside:

if you're using the .net generated webservice client proxy class (through
VS.NET's add webreference or wsdl.exe tool), we can provide our credential
through the proxy class's Credentials property and specify the
authentication schema( BASIC , NTLM ...) . For example:

============
MyService.MyService ms = new AuthClient.MyService.MyService();

System.Net.NetworkCredential nc = new
System.Net.NetworkCredential("username","password","domainname");

System.Net.CredentialCache cc = new System.Net.CredentialCache();
cc.Add(new Uri(ms.Url),"NTLM",nc);

ms.Credentials = cc;

ms.Execute("dfdsfds");

============

In addition, we can also use the SoapHeader in the webservice's SOAP
Message to contain our custom authentication info. This is a good approach
if we don't want to reply on the IIS's authentication support. However
since the SOAP message is plain XML text, we need to encrypt the credential
info (soapHeader) if we use this means.

Here is the MSDN reference which has mentioned all the general
authentication means for asp.net webservice, I think it'll be helpful to
you:

#Securing XML Web Services Created Using ASP.NET
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconsecuringaspnetwebs
ervices.asp?frame=true


Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Back
Top