Solved

Web Services and authentication... pointers please.

Posted on 2006-07-13
1
202 Views
Last Modified: 2010-04-16
hello,

We have a windows forms application that consumes various web services. This includes getting data from a database on our server, requesting payment information and other methods. There are 3 web services total which all need to use some form of authentication so it's not possible for anyone to get data from our servers and request payments and such.

Can someone point me in the right direction for setting up a simple scheme to handle this? What I want to do is setup one web service that does nothing but authentication... so say they request data from our servers, the client application will submit data to authenticate them and if it passes it will allow them to request the data.

What is a good (and free) way of authenticating users? This should happen without the users knowing it... ie: maybe there is a username/password for the web service stored locally which can be authenticated against a username/password on our server. I just dont know how I would do this securely, without much hastle and without any cost. Can someone point me in the right direction for this?

Grealy Appreciated,
- Steven
0
Comment
Question by:PoeticAudio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 25

Accepted Solution

by:
dstanley9 earned 500 total points
ID: 17103960
The most secure way is to use Windows Authentication and delegation.  The web service can impersonate the caller (the user running the windows program) and pass those credentials on to the database server.  You then add network users (or network groups) to the SQL Server and give them the appropriate permissions.

THe hardest part to set up in all of this is setting up the web server for delegation.  You have to be using Kerberos authentication, and the web server has to be "trusted" for delegation in Active Directory.  While it sounds simple enough, it can be a bear to troubleshoot.

Another option that I have seen is to have the web services use Windows auth, and authorize the user using the calling user name.  You basically have to define the users, roles, and access levels in the security layer rather than the database layer.  For example, you may have a Users table , a Roles table, and a AuthLevel table (with associated relationship tables).  when YOURDOMAIN\Joe accesses the web service, it looks up Joe's user ID, Roles, and Access levels, and determines if he is authorized to get the data he's requesting.  In this scenario, the web services connect to the SQL server using one account (either Windows or SQL) that has permissions to all data, and the security layer decides who has access to what.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VB.NET - Refactor Class per SOLID principles 2 42
array not updating 8 42
What is GIS method of Geometry data type? 6 33
Manage big list of parameter list 8 21
Introduction Although it is an old technology, serial ports are still being used by many hardware manufacturers. If you develop applications in C#, Microsoft .NET framework has SerialPort class to communicate with the serial ports.  I needed to…
Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question