473,795 Members | 3,440 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

WebService Identity- best practice?

I have a web service that talks to SQL Server 2005. At present the WS uses
an SQL Server login and password to connect.

Is this best practice or should I be running the WS under a domain account
and using Integrated Security to connect to SQL Server?

On reading the IIS help it seems that if I create a new application pool and
configure it's identity then I can't use Kerberos. Most of the time the WS
is serving users on the LAN but some of the time users will work from home
across the internet. I plan on using WSE 3.0 (and WCF when released) so
authentication and authorisation should happen in the WS rather than the
database I think.

What is best practice with all of this?

Thanks
Michael

Nov 23 '05 #1
1 1495
Michael

Without knowing all of your exact requirements, here are my thoughts.

1) I believe it's a best practice to use integrated authentication to
connect to the SQL server from your web service instead of sql
authentication. With sql authentication, you have worry about securely
storing and managing you user id and password. With integrated
authentication you don't have to worry about this and you avoid
passing credentials over the network.

2) Unless you absolutely require each service consumer to have their
own ID in the database, I would recommend setting up a trust-boundary
between your service and your database. Since you have control of both
the service and the database, you can have the database trust the web
service to do proper authentication. Your web service then becomes
responsible for authenticating the service consumers first (using your
WSE 3.0). Once the service has properly authenticated the consumer, the
web service runs under a single windows account and connects to the
database using this ID. The SQL server only accepts this id from the
service and trusts that the service performed its own authentication
properly. Using this pattern, you only have to have your database
manage and authenticate a single ID.

3) With regards to which windows account to have your web service
access the database with, you can just use the default ASPNET process
account or you can create a new domain account. If you choose to use
the least privileged ASPNET account, you will need to ensure it exists
on both your web service and your database service with a synchronized
password. The need to synchronize the password on both machines does
lead to a slightly higher administrative overhead. If you choose to use
a domain account you don't have to worry about this synchronization
but you will need to ensure that you create it as a least-privileged
account so that it only has access to what it need.

There is an excellent patterns and practices document on MSDN that
discusses options for your scenario in detail. It gives the pros and
cons of a number of different solutions and I would strongly recommend
giving it a read. It expands considerably on the issues I outlined
above.

http://msdn.microsoft.com/library/de...danceIndex.asp

Hope that helps

Peter

Nov 23 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
1228
Strange exeption when connecting to WebService
by: Ricky K. Rasmussen | last post by:
Hi NG, When connecting to a local WebService one of our customers gets a very strange exception: "File or assembly name gaw9eaqv.dll, or one of its dependencies, was not found." The strange part is that the name of the assembly can vary, and has nothing to do with the names of the assemblies used in neither the WebService or the
ASP.NET
2
4101
Call to webservice doesn't pass in credentials
by: elora_c | last post by:
I'm making a call to a webservice from my ASP.NET page. The web application has anonymous access turned off and Integrated Windows auth turned on. The web.config has <identity impersonate=true>. I set the credentials of the web service proxy to the DefaultCredentials. Right before I make the call, I print out the WindowsIdentity, and it is showing the right identity. So I know the web application is authenticating properly. However,...
ASP.NET
1
3189
Asp.Net and Webservice using Impersonation/App Pools
by: Jarred | last post by:
Howdy All, I've been having a bit of a problem that I can't seem to get a grip on at the moment and I'm hoping someone may be able to give me a quick hand :) What I have is a Webservice that references an EXE file sitting in c:\windows\system32\ . Now if I use a Windows App and access the webservice everything goes smoothly.
.NET Framework
2
2023
How to deploy a DB-using Webservice to a shared server??
by: PocketDeveloper | last post by:
I am an experienced developer...but a novice at creating web services, so please have mercy on me! Here is my question: I developed a fairly simple Webservice that returns a table from SQL Server. It runs great on my development machine. Now, I must deploy it to my website. My website is on a shared server holding lots of websites. The websoervice will not run there. It cannot read my SQL Server
.NET Framework
13
12961
Authenticate to a webservice by WindowsIdentity
by: ALI-R | last post by:
I know how to authenticate to a webservice using either of these ways(Assuming that rService represents the webservice): 1) rService.Credentials = new System.Net.NetworkCredential("username","password","domainName"); 2)rService.Credentials = System.Net.CredentialCache.DefaultCredentials; My question is that is there a way to authenticate to a user using WindowsIdentity ???
.NET Framework
5
4745
webservice permissions
by: Daniel Wilson | last post by:
I have a client who is trying to deploy a webservice I wrote. The web service reads a file on a file server and delivers information about it. The file needs to be inaccessible to the user of the webservice because it is intellectual property. This sounds easy. Just give the IUsr account on the web server, a 2003 server running IIS6, read rights to the files on the file server. Since no HTTP path will get to the file server, the user...
.NET Framework
0
1294
Anonymous access and webservice
by: Damir | last post by:
Hello. We are developing a webservice wich has to know wich user/client called it. We get the username from the clent with the User.Identity.Name on the webservice. On the client side we create a proxy and set the credentials propery like this: proxy.credentials = System.Net.CredentialCache.DefaultCredentials On the local machine (windows xp with iis 5.1) the Anonymous access is disabled and the User.Identity.Name returns...
.NET Framework
2
2255
Security exception with impersonate true for a webservice
by: KaNos | last post by:
Hello world, I've made a webservice (c# v2) to install in a server IIS 6 on a Windows 2000 last SP. We can use the webservice in local, throw the pages wich present the methods, with a windows mode connection (<authentication mode="Windows"/>) if impersonate is false (<identity impersonate="false"/>). Note that i use the administrator user to be sure. But when I change impersonate element (<identity impersonate="true"/>) a system...
ASP.NET
3
8707
Problem with WCF WebService hosted in IIS 6.0
by: Arild Bakken | last post by:
Hi, I have written a webservice using WCF. Everything works fine and I can consume the webservice using wsdl, svcutil or visual studio as long as the application pool is running under network_service or an account that is a member of the local administrators group. This webservice needs to run as a different user. When I change the identity, the request http://server/myservice.svc?xsd=xsd0 fails (IIS Log indicated an HTTP/200 (OK) -...
.NET Framework
0
10437
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10214
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
10164
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
10001
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
9042
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
6780
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
1
4113
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3723
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
3
2920
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us