Solved

Web Services and authentication... pointers please.

Posted on 2006-07-13
1
198 Views
Last Modified: 2010-04-16
hello,

We have a windows forms application that consumes various web services. This includes getting data from a database on our server, requesting payment information and other methods. There are 3 web services total which all need to use some form of authentication so it's not possible for anyone to get data from our servers and request payments and such.

Can someone point me in the right direction for setting up a simple scheme to handle this? What I want to do is setup one web service that does nothing but authentication... so say they request data from our servers, the client application will submit data to authenticate them and if it passes it will allow them to request the data.

What is a good (and free) way of authenticating users? This should happen without the users knowing it... ie: maybe there is a username/password for the web service stored locally which can be authenticated against a username/password on our server. I just dont know how I would do this securely, without much hastle and without any cost. Can someone point me in the right direction for this?

Grealy Appreciated,
- Steven
0
Comment
Question by:PoeticAudio
1 Comment
 
LVL 25

Accepted Solution

by:
dstanley9 earned 500 total points
ID: 17103960
The most secure way is to use Windows Authentication and delegation.  The web service can impersonate the caller (the user running the windows program) and pass those credentials on to the database server.  You then add network users (or network groups) to the SQL Server and give them the appropriate permissions.

THe hardest part to set up in all of this is setting up the web server for delegation.  You have to be using Kerberos authentication, and the web server has to be "trusted" for delegation in Active Directory.  While it sounds simple enough, it can be a bear to troubleshoot.

Another option that I have seen is to have the web services use Windows auth, and authorize the user using the calling user name.  You basically have to define the users, roles, and access levels in the security layer rather than the database layer.  For example, you may have a Users table , a Roles table, and a AuthLevel table (with associated relationship tables).  when YOURDOMAIN\Joe accesses the web service, it looks up Joe's user ID, Roles, and Access levels, and determines if he is authorized to get the data he's requesting.  In this scenario, the web services connect to the SQL server using one account (either Windows or SQL) that has permissions to all data, and the security layer decides who has access to what.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Introduction Hi all and welcome to my first article on Experts Exchange. A while ago, someone asked me if i could do some tutorials on object oriented programming. I decided to do them on C#. Now you may ask me, why's that? Well, one of the re…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now