I'm not sure if I'm posting the correct place. I posted it somewhere else,
but someone told me to post it at another place.
Anyway, some background first. I am currently building a web application for
my company. This application is going to be hosted with an ISP on a shared
server. And my company doesn't have a static IP.
I want to make part of my web application such that only my company's
computer can access (something like an 'intranet'). Since we don't have a
static IP, maybe we can save a file on my company's computer, so when a user
access this part, the server will locate this file in the client's computer
and so on.
I've read up about SSL, and about configuring a web application to require
client
certificates. So this is how I understand it. Please correct me if I'm wrong.
1. Firstly, I need to go to a certificate authority's web site to apply for
the certificates. The authority will request a CSR file. So, if I'm putting
my web application on an ISP's web server, my ISP will have to generate the
CSR file for me?
2. I'll receive my server certificate from the authority. My ISP will have
to install the certificate on the web server I'm putting the web application
on.
3. My ISP will also have to configure the IIS Settings of the folder where I
put the part of my application that I want to restrict access, so that client
certificate authentication is enabled.
4. I've to install the client certificate on my company's computer's web
browser.
Thus far, please tell me if any step is wrong.
What I don't understand is the last step: Installing the client certificate.
Will I get a client certificate from the certificate authority? Where
can I get it? Is this client certificate unique? If not, if
someone else's computer also has this client certifcate installed, won't he
be able to get through? Will client certificate authentication
won't help solve my problem?
Sorry for making this so long. Please kindly advise. Thank you. 5 2293
"wrytat" <wr****@discussions.microsoft.com> wrote in message
news:29**********************************@microsof t.com...
<snip> 1. Firstly, I need to go to a certificate authority's web site to apply for the certificates. The authority will request a CSR file. So, if I'm putting my web application on an ISP's web server, my ISP will have to generate the CSR file for me?
No, you can generate the CSR yourself using a different machine. In fact,
this would be the generally preferred approach since it will give you better
control of the private key and ensure that you can take the certificate with
you if you change ISPs. However, before choosing any given approach, you
should check with your current ISP to see what approach(es) they are willing
to support.
2. I'll receive my server certificate from the authority. My ISP will have to install the certificate on the web server I'm putting the web application on.
Yes. However, unless you are actively involved in this installation, your
ISP will gain access to the private key. Depending on your ISP and service
plan, you may or may not have the option to be participate so as to minimize
the exposure of your private key.
There may also be additional considerations related to your site's hosting.
Depending on how you ISP deals with SSL for shared hosting sites,
introduction of SSL for your site may require bumping up to a more expensive
hosting plan. Obviously, you should discuss this with the ISP before making
any final decisions regarding your approach.
3. My ISP will also have to configure the IIS Settings of the folder where I put the part of my application that I want to restrict access, so that client certificate authentication is enabled.
Yes.
4. I've to install the client certificate on my company's computer's web browser.
For a single client machine, this would be the simplest approach.
Thus far, please tell me if any step is wrong.
What I don't understand is the last step: Installing the client certificate.
Will I get a client certificate from the certificate authority? Where can I get it?
Some commercial CAs do offer this service. Your ISP is also another
potential source.
Is this client certificate unique?
It is at the time of issuing. If you don't keep it safe from sharing after
it's issued, it won't be.
If not, if someone else's computer also has this client certifcate installed, won't he be able to get through?
Yup.
Will client certificate authentication won't help solve my problem?
Given the potential complexity of implementing an approach based on client
certificates in a shared hosting scenario, I wouldn't recommend it unless
there's really no alternative. I'm guessing that there are better solutions
in your case, but it's a little difficult to tell from your description of
the problem. A few questions...
1. Do you really want to ensure that only one physical machine can connect
to the relevant portion of your application?
2. Is it OK for multiple staff members to use this portion of the
application, or are you trying to limit it to a single staff member?
3. Do you really want the application to be accessible only from within the
company's physical premises, or would it be OK for at least some staff to
access it from elsewhere? Sorry for making this so long. Please kindly advise. Thank you.
Thank you for your reply~ I'm truly touched... Here is my reply, 1. Do you really want to ensure that only one physical machine can connect to the relevant portion of your application?
Yes, or perhaps not one, but only selective computers within my company's
physical premises.
2. Is it OK for multiple staff members to use this portion of the application, or are you trying to limit it to a single staff member?
Any staff with a user account and password with the system can use this
portion of the application.
3. Do you really want the application to be accessible only from within the company's physical premises, or would it be OK for at least some staff to access it from elsewhere?
I think my director wishes to make the application to be accessible only
from within the company's physical premises. That's the start of all
problems... We don't have static IP, we don't have a web server and a
database server, and I don't think they are willing to invest on those.
Anyway, all the ISP I contact with, discouraged me to use SSL client
authentication. They said that form authentication with SSL should be be
secure enough. And my manager said that it should be able for an application
to detect a network card on the client PC, and find its number. But I don't
think it's possible, am I right?
How? What should I do? Please help...
"wrytat" <wr****@discussions.microsoft.com> wrote in message
news:4A**********************************@microsof t.com... Thank you for your reply~ I'm truly touched... Here is my reply,
1. Do you really want to ensure that only one physical machine can connect to the relevant portion of your application? Yes, or perhaps not one, but only selective computers within my company's physical premises.
Is it possible to reach any of these from outside the network using any type
of remote desktop functionality? If so, anyone who can take advantage of
this will be able to use your "limited" portion of the application even when
they're physically located elsewhere. 2. Is it OK for multiple staff members to use this portion of the application, or are you trying to limit it to a single staff member? Any staff with a user account and password with the system can use this portion of the application.
3. Do you really want the application to be accessible only from within the company's physical premises, or would it be OK for at least some staff to access it from elsewhere? I think my director wishes to make the application to be accessible only from within the company's physical premises.
What would he/she say if the CEO requested access to this portion of the
application when working from home?
That's the start of all problems... We don't have static IP, we don't have a web server and a database server, and I don't think they are willing to invest on those.
Any one of these options might actually be cheaper than using the client
certificate approach, particularly when you consider that you might need to
upgrade your hosting plan. Have you actually looked into how much a static
IP would cost?
Anyway, all the ISP I contact with, discouraged me to use SSL client authentication.
Personally, I would discourage this approach as well.
They said that form authentication with SSL should be be secure enough.
While it sounds like your application should probably be performing user
authentication of some type regardless, it won't do anything to limit
callers to your physical premises.
And my manager said that it should be able for an application to detect a network card on the client PC, and find its number. But I don't think it's possible, am I right?
Not in any way that can't be spoofed quite easily. If you're looking for
something really cheap and are willing to tolerate some additional
dependencies and risk, you might want to consider using service like
dyndns.org to map your dynamic IP to a static name. This would allow your
application to verify whether the caller's IP address matches the name's IP
address at any given time. Of course, making this verification will incur a
pretty big performance hit, so you'll probably want to cache the result of
the verification for at least a few minutes. Also, since it's possible for
the service you'll be verifying against to go down, you'll need to decide
how to handle requests that you can't verify. Please note that I'm not
advocating this solution (IMO, it's pretty sucky), but it at least has the
benefit of very low cost, which seems to be a driving factor on your end. How? What should I do? Please help...
I really have to thank you for your advice. I was feeling so helpless and
don't know which direction to go before you replied. Is it possible to reach any of these from outside the network using any type of remote desktop functionality? If so, anyone who can take advantage of this will be able to use your "limited" portion of the application even when they're physically located elsewhere.
My company does not allow anyone to access the company's information
outside, hence they don't allow any of us to use any remote desktop
functionality.
What would he/she say if the CEO requested access to this portion of the application when working from home?
Actually this portion only includes functions like assigning passwords to
members, responding to customer's requests and printing report. So, I don't
think the CEO will request access to this portion, as only the sales
department and that director will use it.
Have you actually looked into how much a static IP would cost?
My manager told me that investing on a static IP address will cost more than
US$700 a month in my country, which is really very expensive. But... recently
my CEO asked my manager to make the CCTV (live video of more than 10 security
cameras) online; something like a live webcast from many, many cameras (They
always have so many "creative" ideas). I have completely no idea how to do
that, and I don't know how my manager is going to resolve it, but I think
most probably they need a static IP as well, or ask for help from the CCTV
provider.
Anyway, am I right to say that I can only use either a static IP address, or
a dynamic DNS? Then, I can use either the IIS Manager's security feature (one
ISP suggests), or the ISP's firewall feature to restrict access based on
IP/domain name? But comparing static IP with dynamic DNS, static IP will be a
lot more reliable? Will these 2 ways incur a big performance hit as well?
I've got a quotation, and it cost around USD200 per month to get a static IP.
That's a lot cheaper than what i thought it was. :) Thanks anyway.
"Nicole Calinoiu" wrote: "wrytat" <wr****@discussions.microsoft.com> wrote in message news:4A**********************************@microsof t.com... Thank you for your reply~ I'm truly touched... Here is my reply,
1. Do you really want to ensure that only one physical machine can connect to the relevant portion of your application? Yes, or perhaps not one, but only selective computers within my company's physical premises.
Is it possible to reach any of these from outside the network using any type of remote desktop functionality? If so, anyone who can take advantage of this will be able to use your "limited" portion of the application even when they're physically located elsewhere.
2. Is it OK for multiple staff members to use this portion of the application, or are you trying to limit it to a single staff member? Any staff with a user account and password with the system can use this portion of the application.
3. Do you really want the application to be accessible only from within the company's physical premises, or would it be OK for at least some staff to access it from elsewhere? I think my director wishes to make the application to be accessible only from within the company's physical premises.
What would he/she say if the CEO requested access to this portion of the application when working from home?
That's the start of all problems... We don't have static IP, we don't have a web server and a database server, and I don't think they are willing to invest on those.
Any one of these options might actually be cheaper than using the client certificate approach, particularly when you consider that you might need to upgrade your hosting plan. Have you actually looked into how much a static IP would cost?
Anyway, all the ISP I contact with, discouraged me to use SSL client authentication.
Personally, I would discourage this approach as well.
They said that form authentication with SSL should be be secure enough.
While it sounds like your application should probably be performing user authentication of some type regardless, it won't do anything to limit callers to your physical premises.
And my manager said that it should be able for an application to detect a network card on the client PC, and find its number. But I don't think it's possible, am I right?
Not in any way that can't be spoofed quite easily. If you're looking for something really cheap and are willing to tolerate some additional dependencies and risk, you might want to consider using service like dyndns.org to map your dynamic IP to a static name. This would allow your application to verify whether the caller's IP address matches the name's IP address at any given time. Of course, making this verification will incur a pretty big performance hit, so you'll probably want to cache the result of the verification for at least a few minutes. Also, since it's possible for the service you'll be verifying against to go down, you'll need to decide how to handle requests that you can't verify. Please note that I'm not advocating this solution (IMO, it's pretty sucky), but it at least has the benefit of very low cost, which seems to be a driving factor on your end.
How? What should I do? Please help...
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Dan |
last post by:
Good Day All,
I am writing a Smart Client application that will be used both internally
and externally within our organiztion. The user will need to log on to the
application. Since I can't...
|
by: Joey Edelstein |
last post by:
Hi,
We are trying to add a Client Certificate support for our web app that
emulates a hardware device web app.
The hardware uses a 2 factors authentication, which requires a Web
Service client...
|
by: John Yung |
last post by:
Hi,
I have a client (C# MS Excel Project) calling a Web Service to retrieve and
update data. One of the business requirement is the client's NT Login ID, IP
Address and computer name must be log...
|
by: davesmith |
last post by:
I have a need for a very simple web server that can authenticate clients
using integrated windows authentication. I have been asked to propose a
solution that doesn't use IIS. I know that...
|
by: Frank Swarbrick |
last post by:
I am trying to understand "client authentication" works. My environment is
DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE 7.4
as the client. We currently have DB2/LUW set...
|
by: Hao |
last post by:
There is a wield issue in inspecting the network traffic on the web service
client side. There are two soap calls if credentials are used. The first
call has no credentials and is rejected by the...
|
by: peteh |
last post by:
Hi All;
On a DB2 v9.1 (DPF) - RH Linux server, we have a local userid EXECMSTR
that has dbadm privileges and executes all batch processing to load
and maintain a large data warehouse application....
|
by: Enda Manni |
last post by:
Hi,
I have a gSoap Web Service written using C++, it uses SOAP username and
password authentication.
I also have a C# form client consuming the web service, all this was working
fine until I...
|
by: =?Utf-8?B?PT10aW1lPT0=?= |
last post by:
I am trying to build a proof of concept of a WCF service utilisting a
wsHttpBinding with Transport Certificate security. I am having problems
connecting to it with a console client - everytime I...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |