WSE 2.0, smart client, Username authentication, no x.509

I've got a smart client app (C#) - client + web service. At present I am to
add security features to the app using WSE 2.0. Security is a very new area
for me and after 3 days of reading I'm overloaded with the info :-(((. I
went through the Hands-on Lab (great, was really helpful) but the problem is
that our scenario doesn't conform to any others found on the web.

1. My application is going to be installed in either of the following ways:
- Both client-side app and web service installed on a machine (WinXP) that
runs SQL server with our database on it. My webservice talks to this DB.
- The client app is installed on a machine (WinXP) that talks to a remote
server (Win2000/2003) (with the same database) where my web service is
installed as well.

2. Our server *is not* a Web Server. (This is going to be the case only in
the future).

3. I don't want to use certificates at present. As far as I understood they
are the most secure but also the most difficult to deploy.

4. The existing database does not contain any table with usernames, how I am
supposed to perform authentication? The default (plainText password with WSE
performing automatic authentication) only works for the local machine (my
understanding). What happens if my web service is on the remote server?

5. I also need authorization (users from a certain group only can use the
service) as part of the security procedure. Again, I can verify this on the
local machine, how does the remote server do it?

6. From what I read and understood I'd like to use some sort of
authentication (Username or custom probably), authorization, signatures and
encryption.

7. I would prefer to use policy files. As we are probably going to change
the policy in the future, to do it with the policy files would be easier. But
how to use them with my scenario?

Your help will be *highly* appreciated. As I am very new to the security
subject, simple and straitforward instructions and tips will be preferable.

Anna


.

Relevant Pages

  • Re: Run IIS in a domain user context
    ... > If this is IIS 6.0, you need to change the identity of the Web Application ... When I say local machine I mean the server that is hosting IIS ... server side in the context of LocalSystem which I assume the web service ...
    (microsoft.public.inetserver.iis.security)
  • Re: Webservice Security Header error
    ... What happens if we install this windows-based test application to a machine in client company and they try to call the web service through the internet. ... Will they see the same issue if their desktops' time is off by more than 5 minutes than our server time? ... I've also created a Windows Form application which acts as a client to the webservice. ... Before deploying the webservice it resided on my local machine, I tested it here using the local URL as the web reference. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Deploying .NET C# App - Works on my XP box but not our 2003 Server...
    ... > When installed on my local machine it works perfectly, ... but I take the same installer package and put it on my ... > intranet server... ... It looks like the 401 is coming back from the web service. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Web Service Problem
    ... The 404 error indicates that the requested resource ... > I have written a Web Service which is called from ASPX file. ... On the local machine I am using the ... > Now I want to use the same service on the Remote Server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Web Service Implementation Security Question
    ... Server was unable to process ... CompilerParameters parameters, Assembly assembly, Hashtable assemblies) at ... > As for the security problems regarding on using TypedDAtaset in asp.net ... Web Service Implementation Security Question ...
    (microsoft.public.inetserver.iis.security)
Loading