Re: WS Security issues

+1,
If you're looking to sign and encrypt using user name token, keep in mind the service will not be interoperable with java or other technologies.

I guess your best option is to use username token for authentication and authorization. And use X509 certs for signing and encrypting. This is a little slower that ssl but from a purist standpoint you are now transport independent!

Henrik Skak Pedersen wrote: 
Hi Yedu,

Thank you very much for your reply.

Would you use UsernameTokens for signing, encrypting and authentication?
How can I send the current UsernameToken?
How are you deploying "SSL settings"?

Regards

Henrik

"Yedu" <Yedu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:C7E4560D-F7DF-43A1-9799-97BF2A2E48FC@xxxxxxxxxxxxxxxx

We have a similar setup that you described.
We are sending the Username/password in the userName token, the Webservice
server machine needs to be in the same domain as of the AD, if an invalid
username/password is sent and it cannot be authenticated it will throw a
SoapFault. The username/password is sent as plaintext in the usernameToken.

We are using SSL for making sure that the channel is secure.

If you plan to implement the X.509 for encryption my guess is that it will
be drag on the performance.
"Henrik Skak Pedersen" wrote:


Hello,

I am working on a product when we are shipping a web service and a windows
client to several end-customers. The web service should be able to run
either on the inside or on the outside of their firewall. The same CD are
being sent to all customers, so it is not possible to modify anything from
customer to customer. The software should run directly after installation,
without obtaining certificates or anothing else.The clients are running on
Windows 2000 server and client, Windows XP and Windows Server 2003.

I have two demands:

1) All WS requests from the client needs to be authorized by AD. It should
be possible to log in using the current credentials or by specifying an user
name/password pair.

2) All WS requests from the client needs to be encrypted and signed

I have looked into X509SecurityToken, KerberosToken and UsernameToken. But I
just can't see how I solve this the the best way.

If I use X.509 for signing and encryption, then I guess that I have to
distribute the same certificate to all customers, which I guess not i a
smart idea.
I have read that the KerberosToken does not work for Windows 2000.

Any recommendations?

Regards

Henrik Skak Pedersen







--
HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dilip.krishnan AT apdiya DOT com
.

Relevant Pages

  • Re: EFS Certificate Needed
    ... Backup and save on non-degrading media the EFS DRA .pfx file ... Foe sure I will follow "Windows Recommendations". ... that recovery agent will only have ... Best practices for the Encrypting File System ...
    (microsoft.public.security)
  • Re: Can I access a decrypted file if I have all the files backed u
    ... I appreciate your taking the trouble to look up all those articles up for me, ... I installed Windows on the new hard drive ... Best practices for the Encrypting File System ... How to back up the recovery agent Encrypting File System private key ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Can I access a decrypted file if I have all the files backed up?
    ... I installed Windows on the new hard drive ... and ran restore to restore my backup. ... old hard drive to boot on the other computer. ... Best practices for the Encrypting File System ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS Certificate Needed
    ... Foe sure I will follow "Windows Recommendations". ... that recovery agent will only have ... Best practices for the Encrypting File System ...
    (microsoft.public.security)
  • Re: ftp problem
    ... takes me straight into the web server. ... Can I clear what Windows has remembered so I get the ... Have you tried logging in from a command prompt? ... May at least prove if the username/password are ok and you can connect, ...
    (uk.people.silversurfers)