אליק לוין

עולמו של יועץ ממיקרוסופט

SOA, Strong Authentication, Standard Authorization - Cool Solution

I've previously blogged about SOA Security Inside Enterprise walls

This time I had couple of pretty interesting requirements from one customer that targeted B2B/Partners scenario. They had a web site that communicates to partner's web services. His concerns were sincere and pretty fair:

  • I want to manage my creds that I use to authenticate with the partner's web service in secure way
  • I want to pass it it over the wire in secure standard way
  • The partner won't do any major changes to his authorization schema inside the web service
  • Authorization schema must be easy to managed and standard

Without any hesitation I've gone to the following topic -

How To: Call a Web Service Using Client Certificates from ASP.NET 1.1

and implemented step by step what was described. In the code you see that one needs to  export client certs. Customer's concern was about how safe the cert is, no worries - it is getting exported without private keys:

Last thing what I needed to do is Web Service authorization, so what I've done is I mapped the client cert to windows account on the web service machine like this:

cid:image001.png@01C73A80.6D227C70

Then in the web service code I've applied standard Role demands (well specifically here I demand specific user, but it could be group too like "...Demand, Role =@"myServer\Group8"") 

And when the app was calling the web service method it was picking the client cert and sending it over to the web service which in turn was mapping it to windows account and the principal permission was applied to this account. When I was calling HelloWorld1() everything was fine since it was protected by user demand to which the cert is mapped to, on other hand HelloWorld2() was rejected since the cert I was sending is NOT mapped to that user. Man, these are those rare moments that I am happy to see exceptions :) 

Conclusion:

Using minimal of coding (client side - couple of lines, server side - one line for each method) and standard configurations of the infrastructure I've achieved:

  • On caller's side the creds are managed in standard secure way - the client cert sits in User Store
  • Client certs authentication is considered one of the strongest authentication mechanisms
  • All the data goes over secure communications - SSL3
  • Web Service utilizes standard .Net authorization mechanisms which required no coding (almost)

Now tell me why it is not COOL :)

Cheers

פורסם: Jan 29 2007, 08:54 AM by alikl | with 7 comment(s)
תגים:, ,

תוכן התגובה

Ohad Israeli כתב/ה:

It is not cool because IIS7 on vista is missing the client certificat mapping UI, seems like someone forgot to add it... :) So you have to do it by scripting and its not visual at all !
# February 6, 2007 12:55 AM

alikl כתב/ה:

Ohad, thanks for constructive critics!

I'm happy you found the way to map certs to accounts with IIS7 on Vista, i guess it is from product's blog here:

http://blogs.iis.net/ulad/archive/2007/01/19/vbscript-to-configure-one-to-one-client-certificate-mapping-on-iis7.aspx

This blog entry talks about something usable rather isoteric - cannot think why someone needs to map certs on vista, can you?

Regarding certs mapping with IIS7 on LH - i will be posting this soon, stay tuned :)

Thanks again for your comments

# February 6, 2007 1:52 AM

Ohad Israeli כתב/ה:

Hi Alik, I've noticed of course this script from ulad which is the only reference available to client certificate mapping in iis7. The only prob with this scripting it that system.webServer/security/authentication/iisClientCertificateMappingAuthentication is completely undocumented and as such is lacking of documentation of how to query for example a virtual dir to see to which certificate it maps, how to remove a mapping from existing vdir etc... I've started building a client certificate mapping tool for iis 7 and its pretty hard to guess the interfaces there without any proper documentation.
# February 7, 2007 2:20 AM

Technology Architecture כתב/ה:

Welcome to the February 19, 2007 edition of Carnival of Enterprise Architecture. Business Process Management Sagar Satapathy presents Nastiest Malware Trends posted at Business Intelligence Lowdown. Sagar Satapathy presents Getting Organized: Lesson #1

# February 19, 2007 10:33 AM

alik levin's כתב/ה:

Windows Authentication Identity Flow Through Physical Tiers Identity Flow Through Physical Tiers - Impersonation

# April 11, 2007 11:06 PM

alik levin's כתב/ה:

To quickly set lab environment I use VPC 2007 ( free download ). It really saves me lots of time. For

# May 29, 2007 9:06 PM

alik levin's כתב/ה:

reposted from here I've previously blogged about SOA Security Inside Enterprise walls This time I had

# May 30, 2007 3:47 PM