Best way to deploy authentication on web services

From: Rob Heckart (rheckart_at_nospam.cssiinc.com)
Date: 12/27/04 

Date: Mon, 27 Dec 2004 14:47:34 -0500

Hi,

I'm building a distributed app that will be accessible to both domain
authenticated and forms-based authenticated users. I'm planning to have one
web server that holds the client app with 2 virtual directories. The
internal VD will have Windows Int. Auth. turned on. The other external one
will be accessed through a port forwarding situation through the firewall
with anonymous access checked, but users will have to enter a
username/password on a webform to access functions. In some cases the user
will be an internal user that's travelling and needs to get the same
functionality that they have on the intranet. In other cases, the user will
not exist in the Active Directory schema and will instead have credentials
stored in a SQL table or something. What I'm hoping to do is to take the
forms based info and bounce it off the Active Directory Server to see if
they're ok. If not, it'll then check an database table to see if they're ok.

The big question is: Is it possible to have one authentication scheme on the
"gatekeeper" web service that accepts either domain or forms credentials and
returns some sort of standard key/certificate/ticket/whatever it's called
that can then be stored in the user's session or cookie or something and
passed back to the web service to future calls? What's the best way to
accomplish this while maintaining best practices in an SOA situation where
there may be non-.NET resources accessing the web service? I'm also trying
to find the most secure solution so that hackers cannot steal someone else's
credentials.

I'm trying not to have to write two separate versions of both the web app
and the web service. Any help would be greatly appreciated!

Rob

Relevant Pages

  • Re: Security setting help required in web.config file.
    ... browser on machine3 to the web server on machine2. ... account synchronized with the web service machine. ... Authentication, Role-based Security, and SQL Reporting Services Web ... webservice is deployed in this machine. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Web app deployment Server Error
    ... Are your userID and workstation in the same domain as the Web server? ... the authentication that IE passes through won't be recognized. ... > done the app proceeded. ... > logon to my remote client I might have understood (I don't want the ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: How to deploy a DB-using Webservice to a shared server??
    ... Set the IIS app to use Windows authentication. ... In your app that calls the web service, ... authentication to the SQL server with one last condition. ...
    (microsoft.public.dotnet.framework.webservices)
  • Nextel app.s?
    ... question: I have a client with a Java App on a ... Is there any .NET tools I can use to do the same app? ... The app communicates back (web service) to a web server that has Sql Server ...
    (microsoft.public.dotnet.framework.aspnet.mobile)
  • web.config - for multiple applications
    ... Here's the app. ... structure on the web server: ...
    (microsoft.public.dotnet.security)