|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
WS Security issuesI am working on a product when we are shipping a web service and a windows client to several end-customers. The web service should be able to run either on the inside or on the outside of their firewall. The same CD are being sent to all customers, so it is not possible to modify anything from customer to customer. The software should run directly after installation, without obtaining certificates or anothing else.The clients are running on Windows 2000 server and client, Windows XP and Windows Server 2003. I have two demands: 1) All WS requests from the client needs to be authorized by AD. It should be possible to log in using the current credentials or by specifying an user name/password pair. 2) All WS requests from the client needs to be encrypted and signed I have looked into X509SecurityToken, KerberosToken and UsernameToken. But I just can't see how I solve this the the best way. If I use X.509 for signing and encryption, then I guess that I have to distribute the same certificate to all customers, which I guess not i a smart idea. I have read that the KerberosToken does not work for Windows 2000. Any recommendations? Regards Henrik Skak Pedersen Hello Henrik,
UsernameTokens over SSL??? --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hello, > > I am working on a product when we are shipping a web service and a > windows client to several end-customers. The web service should be > able to run either on the inside or on the outside of their firewall. > The same CD are being sent to all customers, so it is not possible to > modify anything from customer to customer. The software should run > directly after installation, without obtaining certificates or > anothing else.The clients are running on Windows 2000 server and > client, Windows XP and Windows Server 2003. > > I have two demands: > > 1) All WS requests from the client needs to be authorized by AD. It > should be possible to log in using the current credentials or by > specifying an user name/password pair. > > 2) All WS requests from the client needs to be encrypted and signed > > I have looked into X509SecurityToken, KerberosToken and UsernameToken. > But I just can't see how I solve this the the best way. > > If I use X.509 for signing and encryption, then I guess that I have to > distribute the same certificate to all customers, which I guess not i > a > smart idea. > I have read that the KerberosToken does not work for Windows 2000. > Any recommendations? > > Regards > > Henrik Skak Pedersen > Hello Dominick,
Thank you very much for your reply. Would you use UsernameTokens for signing, encrypting and authentication? How can I send the current UsernameToken? Regards Henrik Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:434675632532396207020768@news.microsoft.com... > Hello Henrik, > > UsernameTokens over SSL??? > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Hello, >> >> I am working on a product when we are shipping a web service and a >> windows client to several end-customers. The web service should be >> able to run either on the inside or on the outside of their firewall. >> The same CD are being sent to all customers, so it is not possible to >> modify anything from customer to customer. The software should run >> directly after installation, without obtaining certificates or >> anothing else.The clients are running on Windows 2000 server and >> client, Windows XP and Windows Server 2003. >> >> I have two demands: >> >> 1) All WS requests from the client needs to be authorized by AD. It >> should be possible to log in using the current credentials or by >> specifying an user name/password pair. >> >> 2) All WS requests from the client needs to be encrypted and signed >> >> I have looked into X509SecurityToken, KerberosToken and UsernameToken. >> But I just can't see how I solve this the the best way. >> >> If I use X.509 for signing and encryption, then I guess that I have to >> distribute the same certificate to all customers, which I guess not i >> a >> smart idea. >> I have read that the KerberosToken does not work for Windows 2000. >> Any recommendations? >> >> Regards >> >> Henrik Skak Pedersen >> > > > Hello Henrik,
you can't. If you use SSL - you don't have to encrypt and sign (but you could) - you rely on transport security. That's the tradeoff you have to make... --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hello Dominick, > > Thank you very much for your reply. > > Would you use UsernameTokens for signing, encrypting and > authentication? How can I send the current UsernameToken? > > Regards Henrik > > "Dominick Baier [DevelopMentor]" > <dbaier@pleasepleasenospamdevelop.com> wrote in message > news:434675632532396207020768@news.microsoft.com... > >> Hello Henrik, >> >> UsernameTokens over SSL??? >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> Hello, >>> >>> I am working on a product when we are shipping a web service and a >>> windows client to several end-customers. The web service should be >>> able to run either on the inside or on the outside of their >>> firewall. The same CD are being sent to all customers, so it is not >>> possible to modify anything from customer to customer. The software >>> should run directly after installation, without obtaining >>> certificates or anothing else.The clients are running on Windows >>> 2000 server and client, Windows XP and Windows Server 2003. >>> >>> I have two demands: >>> >>> 1) All WS requests from the client needs to be authorized by AD. It >>> should be possible to log in using the current credentials or by >>> specifying an user name/password pair. >>> >>> 2) All WS requests from the client needs to be encrypted and signed >>> >>> I have looked into X509SecurityToken, KerberosToken and >>> UsernameToken. But I just can't see how I solve this the the best >>> way. >>> >>> If I use X.509 for signing and encryption, then I guess that I have >>> to >>> distribute the same certificate to all customers, which I guess not >>> i >>> a >>> smart idea. >>> I have read that the KerberosToken does not work for Windows 2000. >>> Any recommendations? >>> Regards >>> >>> Henrik Skak Pedersen >>> Hello Dominick,
Thanks again. Is it best practice not to sign or encrypt when you are running through SSL? If I then only have to use tokens for authentication and not for enything else, can't I use a KerberosToken or a KerberosToken2 for automatic login? Henrik. Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:434786632532445162915888@news.microsoft.com... > Hello Henrik, > > you can't. > > If you use SSL - you don't have to encrypt and sign (but you could) - you > rely on transport security. > > That's the tradeoff you have to make... > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Hello Dominick, >> >> Thank you very much for your reply. >> >> Would you use UsernameTokens for signing, encrypting and >> authentication? How can I send the current UsernameToken? >> >> Regards Henrik >> >> "Dominick Baier [DevelopMentor]" >> <dbaier@pleasepleasenospamdevelop.com> wrote in message >> news:434675632532396207020768@news.microsoft.com... >> >>> Hello Henrik, >>> >>> UsernameTokens over SSL??? >>> >>> --------------------------------------- >>> Dominick Baier - DevelopMentor >>> http://www.leastprivilege.com >>>> Hello, >>>> >>>> I am working on a product when we are shipping a web service and a >>>> windows client to several end-customers. The web service should be >>>> able to run either on the inside or on the outside of their >>>> firewall. The same CD are being sent to all customers, so it is not >>>> possible to modify anything from customer to customer. The software >>>> should run directly after installation, without obtaining >>>> certificates or anothing else.The clients are running on Windows >>>> 2000 server and client, Windows XP and Windows Server 2003. >>>> >>>> I have two demands: >>>> >>>> 1) All WS requests from the client needs to be authorized by AD. It >>>> should be possible to log in using the current credentials or by >>>> specifying an user name/password pair. >>>> >>>> 2) All WS requests from the client needs to be encrypted and signed >>>> >>>> I have looked into X509SecurityToken, KerberosToken and >>>> UsernameToken. But I just can't see how I solve this the the best >>>> way. >>>> >>>> If I use X.509 for signing and encryption, then I guess that I have >>>> to >>>> distribute the same certificate to all customers, which I guess not >>>> i >>>> a >>>> smart idea. >>>> I have read that the KerberosToken does not work for Windows 2000. >>>> Any recommendations? >>>> Regards >>>> >>>> Henrik Skak Pedersen >>>> > > > Hello Dominick,
I just forgot... 1) I guess that it would be wise to set up a policy to request a UsernameToken? 2) Do I then have to validate everytime I call a method on the web service or can I cache it somehow? Thanks Henrik Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:434786632532445162915888@news.microsoft.com... > Hello Henrik, > > you can't. > > If you use SSL - you don't have to encrypt and sign (but you could) - you > rely on transport security. > > That's the tradeoff you have to make... > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Hello Dominick, >> >> Thank you very much for your reply. >> >> Would you use UsernameTokens for signing, encrypting and >> authentication? How can I send the current UsernameToken? >> >> Regards Henrik >> >> "Dominick Baier [DevelopMentor]" >> <dbaier@pleasepleasenospamdevelop.com> wrote in message >> news:434675632532396207020768@news.microsoft.com... >> >>> Hello Henrik, >>> >>> UsernameTokens over SSL??? >>> >>> --------------------------------------- >>> Dominick Baier - DevelopMentor >>> http://www.leastprivilege.com >>>> Hello, >>>> >>>> I am working on a product when we are shipping a web service and a >>>> windows client to several end-customers. The web service should be >>>> able to run either on the inside or on the outside of their >>>> firewall. The same CD are being sent to all customers, so it is not >>>> possible to modify anything from customer to customer. The software >>>> should run directly after installation, without obtaining >>>> certificates or anothing else.The clients are running on Windows >>>> 2000 server and client, Windows XP and Windows Server 2003. >>>> >>>> I have two demands: >>>> >>>> 1) All WS requests from the client needs to be authorized by AD. It >>>> should be possible to log in using the current credentials or by >>>> specifying an user name/password pair. >>>> >>>> 2) All WS requests from the client needs to be encrypted and signed >>>> >>>> I have looked into X509SecurityToken, KerberosToken and >>>> UsernameToken. But I just can't see how I solve this the the best >>>> way. >>>> >>>> If I use X.509 for signing and encryption, then I guess that I have >>>> to >>>> distribute the same certificate to all customers, which I guess not >>>> i >>>> a >>>> smart idea. >>>> I have read that the KerberosToken does not work for Windows 2000. >>>> Any recommendations? >>>> Regards >>>> >>>> Henrik Skak Pedersen >>>> > > > Ups one more thing :-)
I guess that I have a problem no matter whether I choose X.509 or SSL. I still have to redistribute a unique certificate per customer and install it on the users machine? I can't generate the certificates when I install my product? Or do I have to obtain it from VeriSign or another similar authorithy everytime I sell a package? Henrik Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:434786632532445162915888@news.microsoft.com... > Hello Henrik, > > you can't. > > If you use SSL - you don't have to encrypt and sign (but you could) - you > rely on transport security. > > That's the tradeoff you have to make... > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Hello Dominick, >> >> Thank you very much for your reply. >> >> Would you use UsernameTokens for signing, encrypting and >> authentication? How can I send the current UsernameToken? >> >> Regards Henrik >> >> "Dominick Baier [DevelopMentor]" >> <dbaier@pleasepleasenospamdevelop.com> wrote in message >> news:434675632532396207020768@news.microsoft.com... >> >>> Hello Henrik, >>> >>> UsernameTokens over SSL??? >>> >>> --------------------------------------- >>> Dominick Baier - DevelopMentor >>> http://www.leastprivilege.com >>>> Hello, >>>> >>>> I am working on a product when we are shipping a web service and a >>>> windows client to several end-customers. The web service should be >>>> able to run either on the inside or on the outside of their >>>> firewall. The same CD are being sent to all customers, so it is not >>>> possible to modify anything from customer to customer. The software >>>> should run directly after installation, without obtaining >>>> certificates or anothing else.The clients are running on Windows >>>> 2000 server and client, Windows XP and Windows Server 2003. >>>> >>>> I have two demands: >>>> >>>> 1) All WS requests from the client needs to be authorized by AD. It >>>> should be possible to log in using the current credentials or by >>>> specifying an user name/password pair. >>>> >>>> 2) All WS requests from the client needs to be encrypted and signed >>>> >>>> I have looked into X509SecurityToken, KerberosToken and >>>> UsernameToken. But I just can't see how I solve this the the best >>>> way. >>>> >>>> If I use X.509 for signing and encryption, then I guess that I have >>>> to >>>> distribute the same certificate to all customers, which I guess not >>>> i >>>> a >>>> smart idea. >>>> I have read that the KerberosToken does not work for Windows 2000. >>>> Any recommendations? >>>> Regards >>>> >>>> Henrik Skak Pedersen >>>> > > > Hello Henrik,
you need a certificate on the server side. you could buy one from verisign - or have a look a the xenroll.dll API to do it programmatically using a Windows CA --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Ups one more thing :-) > > I guess that I have a problem no matter whether I choose X.509 or SSL. > I still have to redistribute a unique certificate per customer and > install it on the users machine? > > I can't generate the certificates when I install my product? > > Or do I have to obtain it from VeriSign or another similar authorithy > everytime I sell a package? > > Henrik > "Dominick Baier [DevelopMentor]" > <dbaier@pleasepleasenospamdevelop.com> > wrote in message news:434786632532445162915888@news.microsoft.com... >> Hello Henrik, >> >> you can't. >> >> If you use SSL - you don't have to encrypt and sign (but you could) - >> you rely on transport security. >> >> That's the tradeoff you have to make... >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> Hello Dominick, >>> >>> Thank you very much for your reply. >>> >>> Would you use UsernameTokens for signing, encrypting and >>> authentication? How can I send the current UsernameToken? >>> >>> Regards Henrik >>> >>> "Dominick Baier [DevelopMentor]" >>> <dbaier@pleasepleasenospamdevelop.com> wrote in message >>> news:434675632532396207020768@news.microsoft.com... >>> >>>> Hello Henrik, >>>> >>>> UsernameTokens over SSL??? >>>> >>>> --------------------------------------- >>>> Dominick Baier - DevelopMentor >>>> http://www.leastprivilege.com >>>>> Hello, >>>>> >>>>> I am working on a product when we are shipping a web service and a >>>>> windows client to several end-customers. The web service should be >>>>> able to run either on the inside or on the outside of their >>>>> firewall. The same CD are being sent to all customers, so it is >>>>> not possible to modify anything from customer to customer. The >>>>> software should run directly after installation, without obtaining >>>>> certificates or anothing else.The clients are running on Windows >>>>> 2000 server and client, Windows XP and Windows Server 2003. >>>>> >>>>> I have two demands: >>>>> >>>>> 1) All WS requests from the client needs to be authorized by AD. >>>>> It should be possible to log in using the current credentials or >>>>> by specifying an user name/password pair. >>>>> >>>>> 2) All WS requests from the client needs to be encrypted and >>>>> signed >>>>> >>>>> I have looked into X509SecurityToken, KerberosToken and >>>>> UsernameToken. But I just can't see how I solve this the the best >>>>> way. >>>>> >>>>> If I use X.509 for signing and encryption, then I guess that I >>>>> have >>>>> to >>>>> distribute the same certificate to all customers, which I guess >>>>> not >>>>> i >>>>> a >>>>> smart idea. >>>>> I have read that the KerberosToken does not work for Windows 2000. >>>>> Any recommendations? >>>>> Regards >>>>> Henrik Skak Pedersen >>>>> 
Other interesting topics
|
|||||||||||||||||||||||
