Web Services and authentication... pointers please.

hello,

We have a windows forms application that consumes various web services. This includes getting data from a database on our server, requesting payment information and other methods. There are 3 web services total which all need to use some form of authentication so it's not possible for anyone to get data from our servers and request payments and such.

Can someone point me in the right direction for setting up a simple scheme to handle this? What I want to do is setup one web service that does nothing but authentication... so say they request data from our servers, the client application will submit data to authenticate them and if it passes it will allow them to request the data.

What is a good (and free) way of authenticating users? This should happen without the users knowing it... ie: maybe there is a username/password for the web service stored locally which can be authenticated against a username/password on our server. I just dont know how I would do this securely, without much hastle and without any cost. Can someone point me in the right direction for this?

Grealy Appreciated,
- Steven
LVL 6
PoeticAudioAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
dstanley9Connect With a Mentor Commented:
The most secure way is to use Windows Authentication and delegation.  The web service can impersonate the caller (the user running the windows program) and pass those credentials on to the database server.  You then add network users (or network groups) to the SQL Server and give them the appropriate permissions.

THe hardest part to set up in all of this is setting up the web server for delegation.  You have to be using Kerberos authentication, and the web server has to be "trusted" for delegation in Active Directory.  While it sounds simple enough, it can be a bear to troubleshoot.

Another option that I have seen is to have the web services use Windows auth, and authorize the user using the calling user name.  You basically have to define the users, roles, and access levels in the security layer rather than the database layer.  For example, you may have a Users table , a Roles table, and a AuthLevel table (with associated relationship tables).  when YOURDOMAIN\Joe accesses the web service, it looks up Joe's user ID, Roles, and Access levels, and determines if he is authorized to get the data he's requesting.  In this scenario, the web services connect to the SQL server using one account (either Windows or SQL) that has permissions to all data, and the security layer decides who has access to what.
0
All Courses

From novice to tech pro — start learning today.