«

I love Web Apps in ASP.NET 2.0 because you can easily deny users access to
pages by role or user.

But for desktop client to webservice methods, I am not sure what to do....

I am looking for the simplest and safest method or pattern to have my
Desktop client be able to call a web services securely.

Assume my webservice proxy has 15 methods. By securely, I want the Client
desktop app to pass some kind of simple username/password token -- something
- but not in plain text - so that acces to the web call either immediately
succeeds or fails. I don't know where to start - what is the simplest and
easiest way to accomplish this and maintain it.
Thanks for any simple answers.

Hi,

you can use IIS/integrated auth with SSL or WS:Security

Does your user have a Windows account? if yes you could simply use integrated/basic/digest
over SSL

If you want some kind of custom authentication scheme - you could handroll
it using headers or have a look at UsernameTokens in WSE3 which is a standard
implementation of passing identity information with SOAP packets.

ping me if you need more help

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I love Web Apps in ASP.NET 2.0 because you can easily deny users
> access to pages by role or user.
>
> But for desktop client to webservice methods, I am not sure what to
> do....
>
> I am looking for the simplest and safest method or pattern to have my
> Desktop client be able to call a web services securely.
>
> Assume my webservice proxy has 15 methods. By securely, I want the
> Client
> desktop app to pass some kind of simple username/password token --
> something
> - but not in plain text - so that acces to the web call either
> immediately
> succeeds or fails. I don't know where to start - what is the
> simplest and
> easiest way to accomplish this and maintain it.
> Thanks for any simple answers.

Dominick,

I looked at handrolling WS* but the problem I had was I didn't like having
to hardcode lookups on the server side - I was just hoping I could create
some token on the desktop side and when making the call it the service's
method woul allow or disallow.


The design is a stand-alone exe (could be on your machine) needs to make a
web method via dialup to my IIS Web Service.

I can create a User Account on the IIS server but not on the user's desktop
- the networks are unrelated. I can create my own logon screen locally of
course to get the userid and password I'll need to somehow to receive on the
other side.

Is there a way I can create a token from that userid/password and use
integrated security without having to have the standard windows login scrdeen
popoup each method call?

"Dominick Baier [DevelopMentor]" wrote:

> Hi,
>
> you can use IIS/integrated auth with SSL or WS:Security
>
> Does your user have a Windows account? if yes you could simply use integrated/basic/digest
> over SSL
>
> If you want some kind of custom authentication scheme - you could handroll
> it using headers or have a look at UsernameTokens in WSE3 which is a standard
> implementation of passing identity information with SOAP packets.
>
> ping me if you need more help
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > I love Web Apps in ASP.NET 2.0 because you can easily deny users
> > access to pages by role or user.
> >
> > But for desktop client to webservice methods, I am not sure what to
> > do....
> >
> > I am looking for the simplest and safest method or pattern to have my
> > Desktop client be able to call a web services securely.
> >
> > Assume my webservice proxy has 15 methods. By securely, I want the
> > Client
> > desktop app to pass some kind of simple username/password token --
> > something
> > - but not in plain text - so that acces to the web call either
> > immediately
> > succeeds or fails. I don't know where to start - what is the
> > simplest and
> > easiest way to accomplish this and maintain it.
> > Thanks for any simple answers.
>
>
>

Hi,

ok - as i said - you have two options:

--- #1 you create Windows users for your client on the IIS machine

you could provide a logon screen in the client app and create a NetworkCredential
from that - then use SSL and basic auth to access the web service


--- #2 you don't want the user accounts in Windows but rather some database

you could handroll some headers or use WSE (e.g. if you can't use SSL) -
you would have to provide your own authorization architecture then -

WSE3 is the first version which supports an <authorization> element for security
tokens - but that is tied to .NET 2.0


so i guess the easiest option might be #1

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Dominick,
>
> I looked at handrolling WS* but the problem I had was I didn't like
> having to hardcode lookups on the server side - I was just hoping I
> could create some token on the desktop side and when making the call
> it the service's method woul allow or disallow.
>
> The design is a stand-alone exe (could be on your machine) needs to
> make a web method via dialup to my IIS Web Service.
>
> I can create a User Account on the IIS server but not on the user's
> desktop - the networks are unrelated. I can create my own logon
> screen locally of course to get the userid and password I'll need to
> somehow to receive on the other side.
>
> Is there a way I can create a token from that userid/password and use
> integrated security without having to have the standard windows login
> scrdeen popoup each method call?
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hi,
>>
>> you can use IIS/integrated auth with SSL or WS:Security
>>
>> Does your user have a Windows account? if yes you could simply use
>> integrated/basic/digest over SSL
>>
>> If you want some kind of custom authentication scheme - you could
>> handroll it using headers or have a look at UsernameTokens in WSE3
>> which is a standard implementation of passing identity information
>> with SOAP packets.
>>
>> ping me if you need more help
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I love Web Apps in ASP.NET 2.0 because you can easily deny users
>>> access to pages by role or user.
>>>
>>> But for desktop client to webservice methods, I am not sure what to
>>> do....
>>>
>>> I am looking for the simplest and safest method or pattern to have
>>> my Desktop client be able to call a web services securely.
>>>
>>> Assume my webservice proxy has 15 methods. By securely, I want the
>>> Client
>>> desktop app to pass some kind of simple username/password token --
>>> something
>>> - but not in plain text - so that acces to the web call either
>>> immediately
>>> succeeds or fails. I don't know where to start - what is the
>>> simplest and
>>> easiest way to accomplish this and maintain it.
>>> Thanks for any simple answers.

Thanks. Maybe I am complicating WSE too much - can you point me to a simple
example of WSE used with a WebMethod?

"Dominick Baier [DevelopMentor]" wrote:

> Hi,
>
> ok - as i said - you have two options:
>
> --- #1 you create Windows users for your client on the IIS machine
>
> you could provide a logon screen in the client app and create a NetworkCredential
> from that - then use SSL and basic auth to access the web service
>
>
> --- #2 you don't want the user accounts in Windows but rather some database
>
> you could handroll some headers or use WSE (e.g. if you can't use SSL) -
> you would have to provide your own authorization architecture then -
>
> WSE3 is the first version which supports an <authorization> element for security
> tokens - but that is tied to .NET 2.0
>
>
> so i guess the easiest option might be #1
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Dominick,
> >
> > I looked at handrolling WS* but the problem I had was I didn't like
> > having to hardcode lookups on the server side - I was just hoping I
> > could create some token on the desktop side and when making the call
> > it the service's method woul allow or disallow.
> >
> > The design is a stand-alone exe (could be on your machine) needs to
> > make a web method via dialup to my IIS Web Service.
> >
> > I can create a User Account on the IIS server but not on the user's
> > desktop - the networks are unrelated. I can create my own logon
> > screen locally of course to get the userid and password I'll need to
> > somehow to receive on the other side.
> >
> > Is there a way I can create a token from that userid/password and use
> > integrated security without having to have the standard windows login
> > scrdeen popoup each method call?
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hi,
> >>
> >> you can use IIS/integrated auth with SSL or WS:Security
> >>
> >> Does your user have a Windows account? if yes you could simply use
> >> integrated/basic/digest over SSL
> >>
> >> If you want some kind of custom authentication scheme - you could
> >> handroll it using headers or have a look at UsernameTokens in WSE3
> >> which is a standard implementation of passing identity information
> >> with SOAP packets.
> >>
> >> ping me if you need more help
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> I love Web Apps in ASP.NET 2.0 because you can easily deny users
> >>> access to pages by role or user.
> >>>
> >>> But for desktop client to webservice methods, I am not sure what to
> >>> do....
> >>>
> >>> I am looking for the simplest and safest method or pattern to have
> >>> my Desktop client be able to call a web services securely.
> >>>
> >>> Assume my webservice proxy has 15 methods. By securely, I want the
> >>> Client
> >>> desktop app to pass some kind of simple username/password token --
> >>> something
> >>> - but not in plain text - so that acces to the web call either
> >>> immediately
> >>> succeeds or fails. I don't know where to start - what is the
> >>> simplest and
> >>> easiest way to accomplish this and maintain it.
> >>> Thanks for any simple answers.
>
>
>

which .net version - which type of authentication (username/password against
a db??)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Thanks. Maybe I am complicating WSE too much - can you point me to a
> simple example of WSE used with a WebMethod?
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hi,
>>
>> ok - as i said - you have two options:
>>
>> --- #1 you create Windows users for your client on the IIS machine
>>
>> you could provide a logon screen in the client app and create a
>> NetworkCredential from that - then use SSL and basic auth to access
>> the web service
>>
>> --- #2 you don't want the user accounts in Windows but rather some
>> database
>>
>> you could handroll some headers or use WSE (e.g. if you can't use
>> SSL) - you would have to provide your own authorization architecture
>> then -
>>
>> WSE3 is the first version which supports an <authorization> element
>> for security tokens - but that is tied to .NET 2.0
>>
>> so i guess the easiest option might be #1
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Dominick,
>>>
>>> I looked at handrolling WS* but the problem I had was I didn't like
>>> having to hardcode lookups on the server side - I was just hoping I
>>> could create some token on the desktop side and when making the call
>>> it the service's method woul allow or disallow.
>>>
>>> The design is a stand-alone exe (could be on your machine) needs to
>>> make a web method via dialup to my IIS Web Service.
>>>
>>> I can create a User Account on the IIS server but not on the user's
>>> desktop - the networks are unrelated. I can create my own logon
>>> screen locally of course to get the userid and password I'll need to
>>> somehow to receive on the other side.
>>>
>>> Is there a way I can create a token from that userid/password and
>>> use integrated security without having to have the standard windows
>>> login scrdeen popoup each method call?
>>>
>>> "Dominick Baier [DevelopMentor]" wrote:
>>>
>>>> Hi,
>>>>
>>>> you can use IIS/integrated auth with SSL or WS:Security
>>>>
>>>> Does your user have a Windows account? if yes you could simply use
>>>> integrated/basic/digest over SSL
>>>>
>>>> If you want some kind of custom authentication scheme - you could
>>>> handroll it using headers or have a look at UsernameTokens in WSE3
>>>> which is a standard implementation of passing identity information
>>>> with SOAP packets.
>>>>
>>>> ping me if you need more help
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> I love Web Apps in ASP.NET 2.0 because you can easily deny users
>>>>> access to pages by role or user.
>>>>>
>>>>> But for desktop client to webservice methods, I am not sure what
>>>>> to do....
>>>>>
>>>>> I am looking for the simplest and safest method or pattern to have
>>>>> my Desktop client be able to call a web services securely.
>>>>>
>>>>> Assume my webservice proxy has 15 methods. By securely, I want
>>>>> the
>>>>> Client
>>>>> desktop app to pass some kind of simple username/password token --
>>>>> something
>>>>> - but not in plain text - so that acces to the web call either
>>>>> immediately
>>>>> succeeds or fails. I don't know where to start - what is the
>>>>> simplest and
>>>>> easiest way to accomplish this and maintain it.
>>>>> Thanks for any simple answers

Thanks

Hi Dominick

What if my client application is a WinCE device, and my webservice is using
Integrate Windows Authentication mode, then what do I need to pass to my
webservice in order to authenticate.

Can I get user account from WinCE device without asking user to provide
login/password to send to webservice?




"Dominick Baier [DevelopMentor]" wrote:

> generally:
> http://msdn.microsoft.com/webservice.../building/wse/
>
> security lab:
> http://www.microsoft.com/downloads/d...displaylang=en
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > .NET 2.0. WSE to Database example would be fine.
> >
>
>
>

Hi,

prolly not...

but i am not a WinCE expert (in fact i never touched such a device) -sorry.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick
>
> What if my client application is a WinCE device, and my webservice is
> using Integrate Windows Authentication mode, then what do I need to
> pass to my webservice in order to authenticate.
>
> Can I get user account from WinCE device without asking user to
> provide login/password to send to webservice?
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> generally:
>> http://msdn.microsoft.com/webservice.../building/wse/
>> security lab:
>> http://www.microsoft.com/downloads/d...d=9acd1f8e-97e
>> 2-43e2-b484-a74a014a8206&displaylang=en
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> .NET 2.0. WSE to Database example would be fine.
>>>