Solved

Web Services and authentication... pointers please.

Posted on 2006-07-13
1
199 Views
Last Modified: 2010-04-16
hello,

We have a windows forms application that consumes various web services. This includes getting data from a database on our server, requesting payment information and other methods. There are 3 web services total which all need to use some form of authentication so it's not possible for anyone to get data from our servers and request payments and such.

Can someone point me in the right direction for setting up a simple scheme to handle this? What I want to do is setup one web service that does nothing but authentication... so say they request data from our servers, the client application will submit data to authenticate them and if it passes it will allow them to request the data.

What is a good (and free) way of authenticating users? This should happen without the users knowing it... ie: maybe there is a username/password for the web service stored locally which can be authenticated against a username/password on our server. I just dont know how I would do this securely, without much hastle and without any cost. Can someone point me in the right direction for this?

Grealy Appreciated,
- Steven
0
Comment
Question by:PoeticAudio
1 Comment
 
LVL 25

Accepted Solution

by:
dstanley9 earned 500 total points
ID: 17103960
The most secure way is to use Windows Authentication and delegation.  The web service can impersonate the caller (the user running the windows program) and pass those credentials on to the database server.  You then add network users (or network groups) to the SQL Server and give them the appropriate permissions.

THe hardest part to set up in all of this is setting up the web server for delegation.  You have to be using Kerberos authentication, and the web server has to be "trusted" for delegation in Active Directory.  While it sounds simple enough, it can be a bear to troubleshoot.

Another option that I have seen is to have the web services use Windows auth, and authorize the user using the calling user name.  You basically have to define the users, roles, and access levels in the security layer rather than the database layer.  For example, you may have a Users table , a Roles table, and a AuthLevel table (with associated relationship tables).  when YOURDOMAIN\Joe accesses the web service, it looks up Joe's user ID, Roles, and Access levels, and determines if he is authorized to get the data he's requesting.  In this scenario, the web services connect to the SQL server using one account (either Windows or SQL) that has permissions to all data, and the security layer decides who has access to what.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction This article series is supposed to shed some light on the use of IDisposable and objects that inherit from it. In essence, a more apt title for this article would be: using (IDisposable) {}. I’m just not sure how many people would ge…
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now