Re: Sample code to use WSE

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "William Stacey [MVP]" <staceyw@xxxxxxxx>
Date: Thu, 1 Sep 2005 14:16:27 -0400

This might be a bit more then what you where looking for, but I just posted
a complete Secure Remote Password (SRP) (actually SRP6a) using WSE on
Channel9 at:
http://channel9.msdn.com/ShowPost.aspx?PostID=107763

This is a really secure way to authenticate passwords that does not require
stored keys on either end. It does, however, require a custom database that
stores the username, SRP verifier, and salt for each user. The
implementation as shown uses a simple text file as the DB, but you can do
anything you want in your derived login provider. If you did want to use
Windows authentication (using LogonUser) you could just create an Anonoumous
SRP username with any password. Then the client can get an anonymous SCT
and then use that SCT to encrypt a UT with a ClearText password or other
token type.
HTH

--
William Stacey [MVP]

"Ram" <Ram@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1812BE10-56C1-4DAA-8FD1-D7F551E58F98@xxxxxxxxxxxxxxxx
>I have developed a webservice that processes payments. I wanted provide
> security to this webservice so that all requests are authenticated
>
> I don't know where to start to implement security
>
> Thanks

.

Follow-Ups:
- Re: Sample code to use WSE
  - From: Ram

References:
- Sample code to use WSE
  - From: Ram

Prev by Date: Re: Sample code to use WSE
Next by Date: Re: WSE X.509 certificate capability
Previous by thread: Re: Sample code to use WSE
Next by thread: Re: Sample code to use WSE
Index(es):
- Date
- Thread

Relevant Pages

Re: [ok] [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind
... almost all Windows users demand backward compatibility. ... > security upgrades available on MS's site. ... > and authenticate all mail transfer. ...
(Full-Disclosure)
Re: Security Logging in ADAM
... How does an anonymous login authenticate anyone? ... If a bind was performed against ADAM, there should be a matching audit event ... in the security event log on the ADAM machine assuming that logon events are ...
(microsoft.public.windows.server.active_directory)
Re: IAS & Fully-Qualified-User-Name
... Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- "Bryan Hunt" wrote in message ... > Logon Failure: ... > Caller User Name: MANAGE1$ ... >>> None of them will authenticate the user. ...
(microsoft.public.security)
Re: NTLM authentication
... If I authenticate as I did againt ADAM with their login/pwd, ... Clear the Security EventLog and watch the security events after each bind. ... Note that this can' be done on NT4, so you can only watch the local logon attempts. ... Now, use the "domain\\user" syntax for the username in your DirectoryEntry constructor, where domain is your logon domain and user a domain account. ...
(microsoft.public.dotnet.languages.csharp)
Re: Sample code to use WSE
... Chris & William ... > This is a really secure way to authenticate passwords that does not require ... >>I have developed a webservice that processes payments. ... >> security to this webservice so that all requests are authenticated ...
(microsoft.public.dotnet.framework.webservices.enhancements)