Velocity Reviews - Computer Hardware Reviews
Home Forums Reviews Guides Newsgroups Register Search
Member Login:

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Web Services > Client Certificate and Code Access Security

Reply
Thread Tools

Client Certificate and Code Access Security

 
 
Jürgen Laude
Guest
Posts: n/a
 
      01-13-2005
Hi,

I am implementing a IIS deployed client (Windows Forms) that accesses a web
service on the same server. I want to use client certificates for
authentication.
My problem is, when I call the web service with CAS "Internet" permissions,
I'm receiving a SecurityException in a thread that seems to create the
connection. The user selects the certificate with a OpenFileDialog configured
for working with "Internet" permissions. I can verify the loading of the
certificate and assigning it to the web service proxy works without problems.
Running the same with "Full Trust" works perfect, but my customers require
"Internet" permissions only.
What do I need to do to work arround that? If not, why is using a client
certificate that the user manually selects a security risk (it is no problem
for Internet Explorer to do that)?

Thank you in advance,

Jürgen
 
Reply With Quote
 
 
 
 
Dilip Krishnan
Guest
Posts: n/a
 
      01-13-2005
Hello Jürgen,
Basically yr having a client application that your trying to run as a
downloaded interenet application. Such applications are security sandboxed
as "internet" applications. Which have restricted permissions as far as loading
things from the hard disk etc. Assuming yr using ssl a client cert cannot
get access to your certificate in your local stores. Giving just appropriate
permissions should solve this problem

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

> Hi,
>
> I am implementing a IIS deployed client (Windows Forms) that accesses
> a web
> service on the same server. I want to use client certificates for
> authentication.
> My problem is, when I call the web service with CAS "Internet"
> permissions,
> I'm receiving a SecurityException in a thread that seems to create the
> connection. The user selects the certificate with a OpenFileDialog
> configured
> for working with "Internet" permissions. I can verify the loading of
> the
> certificate and assigning it to the web service proxy works without
> problems.
> Running the same with "Full Trust" works perfect, but my customers
> require
> "Internet" permissions only.
> What do I need to do to work arround that? If not, why is using a
> client
> certificate that the user manually selects a security risk (it is no
> problem
> for Internet Explorer to do that)?
> Thank you in advance,
>
> Jürgen
>
 
Reply With Quote
 
 
 
 
Jürgen Laude
Guest
Posts: n/a
 
      01-13-2005
Hello Dilip,

Changing permissions on the client side is not an option for my customers.
Why am I able to use client side certificates in the internet zone with my
default internet explorer settings for web pages, but not from a .NET
application for web services? Browsing the asmx page works with the client
certificate, because IE is pulling it from the store. I understand that a
..NET app should not be allowed to access a users certificate store without
his knowledge, but the client is receiving the certificate from a user
selected file, so it is users intention to provide it to the application for
his authentication.

Thanks,
Jürgen

"Dilip Krishnan" wrote:

> Hello Jürgen,
> Basically yr having a client application that your trying to run as a
> downloaded interenet application. Such applications are security sandboxed
> as "internet" applications. Which have restricted permissions as far as loading
> things from the hard disk etc. Assuming yr using ssl a client cert cannot
> get access to your certificate in your local stores. Giving just appropriate
> permissions should solve this problem
>
> HTH
> Regards,
> Dilip Krishnan
> MCAD, MCSD.net
> dkrishnan at geniant dot com
> http://www.geniant.com
>
> > Hi,
> >
> > I am implementing a IIS deployed client (Windows Forms) that accesses
> > a web
> > service on the same server. I want to use client certificates for
> > authentication.
> > My problem is, when I call the web service with CAS "Internet"
> > permissions,
> > I'm receiving a SecurityException in a thread that seems to create the
> > connection. The user selects the certificate with a OpenFileDialog
> > configured
> > for working with "Internet" permissions. I can verify the loading of
> > the
> > certificate and assigning it to the web service proxy works without
> > problems.
> > Running the same with "Full Trust" works perfect, but my customers
> > require
> > "Internet" permissions only.
> > What do I need to do to work arround that? If not, why is using a
> > client
> > certificate that the user manually selects a security risk (it is no
> > problem
> > for Internet Explorer to do that)?
> > Thank you in advance,
> >
> > Jürgen
> >
>
>
>
 
Reply With Quote
 
Dilip Krishnan
Guest
Posts: n/a
 
      01-13-2005
Hello Jürgen,

Yes IE can access it because its a program running on yr local machine
(read trusted). But since yr .net client is running under "Internet" permissions,
it doesnt have permissions to do the same function as IE. Think of it as
a java applet (read "Internet" permissioned app) running on yr browser, it
will not have access to delete a file on your hard drive would it?

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

> Hello Dilip,
>
> Changing permissions on the client side is not an option for my
> customers. Why am I able to use client side certificates in the
> internet zone with my default internet explorer settings for web
> pages, but not from a .NET application for web services? Browsing the
> asmx page works with the client certificate, because IE is pulling it
> from the store. I understand that a ..NET app should not be allowed to
> access a users certificate store without his knowledge, but the client
> is receiving the certificate from a user selected file, so it is users
> intention to provide it to the application for his authentication.
>
> Thanks,
> Jürgen
> "Dilip Krishnan" wrote:
>
>> Hello Jürgen,
>> Basically yr having a client application that your trying to run as a
>> downloaded interenet application. Such applications are security
>> sandboxed
>> as "internet" applications. Which have restricted permissions as far
>> as loading
>> things from the hard disk etc. Assuming yr using ssl a client cert
>> cannot
>> get access to your certificate in your local stores. Giving just
>> appropriate
>> permissions should solve this problem
>> HTH
>> Regards,
>> Dilip Krishnan
>> MCAD, MCSD.net
>> dkrishnan at geniant dot com
>> http://www.geniant.com
>>> Hi,
>>>
>>> I am implementing a IIS deployed client (Windows Forms) that
>>> accesses
>>> a web
>>> service on the same server. I want to use client certificates for
>>> authentication.
>>> My problem is, when I call the web service with CAS "Internet"
>>> permissions,
>>> I'm receiving a SecurityException in a thread that seems to create
>>> the
>>> connection. The user selects the certificate with a OpenFileDialog
>>> configured
>>> for working with "Internet" permissions. I can verify the loading of
>>> the
>>> certificate and assigning it to the web service proxy works without
>>> problems.
>>> Running the same with "Full Trust" works perfect, but my customers
>>> require
>>> "Internet" permissions only.
>>> What do I need to do to work arround that? If not, why is using a
>>> client
>>> certificate that the user manually selects a security risk (it is no
>>> problem
>>> for Internet Explorer to do that)?
>>> Thank you in advance,
>>> Jürgen
>>>
 
Reply With Quote
 
Jürgen Laude
Guest
Posts: n/a
 
      01-14-2005
Hello Dilip,

I can open any file for read access under "Internet" permissions if I use
the OpenFileDialog and ask the user to select one for me. This way I would be
able to read and use whatever the user allows me to. Why is that less
dangerous then using a client certificate from a file (exported from the
local certificate store)?
Reading the documentation about the WebService.htc I am supposed to be able
to use client certificates if I call the web service from DHTML without
changing settings on my IE.
Is there a way to share the already established SSL connection from IE with
my .NET client?

Thanks,
Jürgen

"Dilip Krishnan" wrote:

> Hello Jürgen,
>
> Yes IE can access it because its a program running on yr local machine
> (read trusted). But since yr .net client is running under "Internet" permissions,
> it doesnt have permissions to do the same function as IE. Think of it as
> a java applet (read "Internet" permissioned app) running on yr browser, it
> will not have access to delete a file on your hard drive would it?
>
> HTH
> Regards,
> Dilip Krishnan
> MCAD, MCSD.net
> dkrishnan at geniant dot com
> http://www.geniant.com
 
Reply With Quote
 
 
 
Reply

« Using System.DirectoryServices from within webservice | Need guidance - ADo .NET, ASP .NET, dataset - where does the code go? »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Win32::OLE and CAPICOM to find a certificate in certificate store will raise exception danielhe99@gmail.com Perl Misc 0 07-20-2006 06:47 AM
SSL Client with client certificate Joe Wong Java 2 02-18-2006 05:00 AM
.Net client and SSL mutual authentication : 403 Forbidden, client certificate not sent Mfenetre ASP .Net Security 11 10-12-2005 03:02 PM
Client Certificate and Code Access Security Jürgen Laude ASP .Net Web Services 0 01-13-2005 10:11 AM
Client Certificate and Code Access Security Jürgen Laude ASP .Net Web Services 0 01-13-2005 10:09 AM



Advertisments
 


Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc..
SEO by vBSEO ©2010, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top