|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Web Service, Authentication, Security & DomainsI'm faced against an implementation problem on which I need some guidelines and advice. my client has a Win2k3 domain with ActiveDirectory. I need to implement two parts of the solution: a) Web Service that will run on a computer in the client's domain with access to the AD b) Windows application that will run on computers which are NOT part of the client's domain Windows application will communicate to the Web Service via internet and perform some tasks that way. the real problem follows: users that will use Windows application have AD accounts in the client's domain, but they themselves will use Windows application on computers OUT of the domain. and my Web Service must allow Windows application users to authenticate and authorize with AD, but so that the password (in any form) is NEVER sent across the wire. data also must be transferred in a secure manner. so I need something like Kerberos, but that works in my case. what would be the simplest, yet feasible solution to this problem? does WSE 3.0 have anything that could help me? I hope I managed to depict the problem and I apologize for my english if it's causing any misunderstandings. tnx in advance The easy way to do this is with Basic authentication and SSL.
Unfortunately, that does send the password across the wire (although it is encrypted with SSL), so if that absolutely cannot happen, then you can't use that approach. The problem with using a Kerberos based approach is that the clients must be able to contact the KDC to get a Kerberos ticket, and generally, you don't have the KDC hanging out on the public Internet! If you could do that, you could use IWA/Negotiate auth in IIS and it would work. My recommendation is to push for Basic/SSL. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Igor Volkin" <igorvol***@mytrashmail.com> wrote in message news:1154952967.941190.99760@i42g2000cwa.googlegroups.com... > kind regards to all. > > I'm faced against an implementation problem on which I need some > guidelines and advice. > > my client has a Win2k3 domain with ActiveDirectory. > > I need to implement two parts of the solution: > a) Web Service that will run on a computer in the client's domain with > access to the AD > b) Windows application that will run on computers which are NOT part of > the client's domain > > Windows application will communicate to the Web Service via internet > and perform some tasks that way. > > the real problem follows: users that will use Windows application have > AD accounts in the client's domain, but they themselves will use > Windows application on computers OUT of the domain. and my Web Service > must allow Windows application users to authenticate and authorize with > AD, but so that the password (in any form) is NEVER sent across the > wire. data also must be transferred in a secure manner. so I need > something like Kerberos, but that works in my case. > > what would be the simplest, yet feasible solution to this problem? does > WSE 3.0 have anything that could help me? > > I hope I managed to depict the problem and I apologize for my english > if it's causing any misunderstandings. > > tnx in advance > 
Other interesting topics
Problems accessing the ASPNETDB.MDF file
single sign on from web to smart client Huge problem consuming .net event in JScript code Add Publisher Name to Published VS2005 Project How to programmingly check off "Allow inheritable permissions from Access Private Key File From X509 Certificate Can SslStream be set to ignore invalid certificates? authentication against adsi/ldap Cooecting to SQL server ?? IN which context my web service is running? |
|||||||||||||||||||||||
