Hi,
you are right - Windows needs the password in plaintext to impersonate a user (having to call LogonUser, which requires a password). Thinking about it - it is the only way Windows can do it.
So if you want to use the Windows infrastructure that's already there you have to combine option 1 or 3 with option 2. If SSL seems too slow to you - buy a SSL processor card (IIS6 supports them) to speed up the encryption.
Another option would be (works only on IIS 6 being a domain member) -
you can leverage the new W2K3 Kerberos S4U services.
1) use wse the send hashed password
2) authenticate the user somehow and provide the cleartext password in UserNameTokenManager
or
1) use a X509 Token
2) authenticate the token somehow
associate the user with a existing windows account (e.g. through a database) and call
WindowsIdentity winid = new WindowsIdentity("user@domain");
WindowsPrincipal principal = new WindowsPrincipal(winid);
you will get a token that you can use for role inspection (calling IsInRole).
To impersonate to access local resources the service has to run as LOCAL SYSTEM
To impersonate to access remote resources, configure constrained delegation in AD for the WebServer (you don't have to be running under SYSTEM in this case)
to enable both scenarios, just call winid.Impersonate();
hope this helps
---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
nntp://news.microsoft.com/microsoft.public.dotnet.framework.webservices/<#v**************@TK2MSFTNGP11.phx.gbl>
Hello all,
I'm trying to do something which I believe is very normal, standard sort of
requirement. I want to secure access to a web service across the Internet
using username/password on the server, then impersonate the account on that
server.
Option 1 - set IIS to basic authentication, which all works great, except
that passwords are transmitted in clear, so that's obviously useless.
Option 2 - as option 1, but encrypt everything using IIS. Seems great, but
runs ridiculously slowly because asymmetric encryption is so ludicrously
slow and a complete waste as there's no need to encrypt much apart from the
password.
On to option 3, WSE, but as far as I can tell from the confused
documentation, the only ways to impersonate are to use Kerberos (no use
here) or plain text passwords (just as bad as option 1). There seems to be
some chat about using hashed passwords, which would be absolutely ideal, but
I've yet to find and useful examples of a token manager which can do this
and just drop-in to an application?
It just seems that MS has really missed the plot here. Why has MS made
something so standard so difficult?
Any pointers, code, hints etc most welcome.
Cheers,
Tim
t_********@hotmail.com
[microsoft.public.dotnet.framework.webservices]