Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Web Services and authentication... pointers please.

Posted on 2006-07-13
1
Medium Priority
?
205 Views
Last Modified: 2010-04-16
hello,

We have a windows forms application that consumes various web services. This includes getting data from a database on our server, requesting payment information and other methods. There are 3 web services total which all need to use some form of authentication so it's not possible for anyone to get data from our servers and request payments and such.

Can someone point me in the right direction for setting up a simple scheme to handle this? What I want to do is setup one web service that does nothing but authentication... so say they request data from our servers, the client application will submit data to authenticate them and if it passes it will allow them to request the data.

What is a good (and free) way of authenticating users? This should happen without the users knowing it... ie: maybe there is a username/password for the web service stored locally which can be authenticated against a username/password on our server. I just dont know how I would do this securely, without much hastle and without any cost. Can someone point me in the right direction for this?

Grealy Appreciated,
- Steven
0
Comment
Question by:PoeticAudio
1 Comment
 
LVL 25

Accepted Solution

by:
dstanley9 earned 2000 total points
ID: 17103960
The most secure way is to use Windows Authentication and delegation.  The web service can impersonate the caller (the user running the windows program) and pass those credentials on to the database server.  You then add network users (or network groups) to the SQL Server and give them the appropriate permissions.

THe hardest part to set up in all of this is setting up the web server for delegation.  You have to be using Kerberos authentication, and the web server has to be "trusted" for delegation in Active Directory.  While it sounds simple enough, it can be a bear to troubleshoot.

Another option that I have seen is to have the web services use Windows auth, and authorize the user using the calling user name.  You basically have to define the users, roles, and access levels in the security layer rather than the database layer.  For example, you may have a Users table , a Roles table, and a AuthLevel table (with associated relationship tables).  when YOURDOMAIN\Joe accesses the web service, it looks up Joe's user ID, Roles, and Access levels, and determines if he is authorized to get the data he's requesting.  In this scenario, the web services connect to the SQL server using one account (either Windows or SQL) that has permissions to all data, and the security layer decides who has access to what.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Summary: Persistence is the capability of an application to store the state of objects and recover it when necessary. This article compares the two common types of serialization in aspects of data access, readability, and runtime cost. A ready-to…
This article is for Object-Oriented Programming (OOP) beginners. An Interface contains declarations of events, indexers, methods and/or properties. Any class which implements the Interface should provide the concrete implementation for each Inter…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question