RE: simulating asp.net impersonation

Hi TS,

Welcome to MSDN newsgroup.
>From your description, you have a winform app which consumes an ASP.NET
webservice. Also you'd like to protect the service from being used by
unauthenticated users. So you're currently wondering the best means to let
the client winform app attach the proper user's credential, yes?

Based on my experience, the <authorization> schema element in asp.net 's
configuration is mainly used by asp.net web application rather than asp.net
webservice(though this is also ok which can use to protect the asmx's
accessing). And this will depend on the client credential passed from the
IIS which do the authentication( basic or integrated
windows(NTLM/kerberos...) , webservice dosn't support interactive
auhentication like Forms authenticaiton). OK, then as for how to provide
such credential at clientside:

if you're using the .net generated webservice client proxy class (through
VS.NET's add webreference or wsdl.exe tool), we can provide our credential
through the proxy class's Credentials property and specify the
authentication schema( BASIC , NTLM ...) . For example:

============
MyService.MyService ms = new AuthClient.MyService.MyService();

System.Net.NetworkCredential nc = new
System.Net.NetworkCredential("username","password","domainname");

System.Net.CredentialCache cc = new System.Net.CredentialCache();
cc.Add(new Uri(ms.Url),"NTLM",nc);

ms.Credentials = cc;

ms.Execute("dfdsfds");

============

In addition, we can also use the SoapHeader in the webservice's SOAP
Message to contain our custom authentication info. This is a good approach
if we don't want to reply on the IIS's authentication support. However
since the SOAP message is plain XML text, we need to encrypt the credential
info (soapHeader) if we use this means.

Here is the MSDN reference which has mentioned all the general
authentication means for asp.net webservice, I think it'll be helpful to
you:

#Securing XML Web Services Created Using ASP.NET
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconsecuringaspnetwebs
ervices.asp?frame=true


Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)




.

Relevant Pages

  • Re: BASIC authentication Issues with IE - Part II - Solved but WHY?
    ... it does not know the difference between a request from IE or from ... some other HTTP client. ... Some other authentication schemes are more ... IIS can sometimes remember the token for a particular set of credentials so ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISAPI Authentication
    ... The job of your authentication filter is to accept ... non-Windows credentials from the client and then map them to a Windows ...
    (microsoft.public.inetserver.iis.security)
  • Re: Windows Integrated Auth/Basic Auth
    ... Both Basic and Windows Integrated authentication save their credentials on ... you need to convince the client browser to ... >> Windows Authentication on my web app to give an access ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Anonymous and integrated authentication for Web service
    ... I tried changing values in the UseDefaultCredentials and Credentials ... You need to write the client appropriately. ... Given this are you saying they both can call the same web service? ... Integrated Windows authentication ...
    (microsoft.public.inetserver.iis.security)
  • Calling COM Server from ASP.NET WebService - impersonation problem
    ... I want to call a COM+ server from a webservice. ... credentials so I have set ... and check the current User it is the client as it should be. ...
    (microsoft.public.dotnet.framework.aspnet.security)