I administer a Server 2003/XP network. A developer has come to me with
a proposal to put in a web service-based application. The workstations
will be XP and the servers 2003 but he can't use Integrated Windows
authentication with the logged-on account because some of the
workstations are shared and have a "department" account (with minimum
access*), so the user will be signing in to the application. They all
have Windows accounts which he wants to pass to the web service so that
it can authenticate the user.
My concern is network security. He's looking at using
System.Net.NetworkCredential to pass the account. I dabble in .NET
myself so I had a look at MSDN. The example code starts with this:
NetworkCredential myCred = new NetworkCredential(
SecurelyStoredUserName, SecurelyStoredPassword,
SecurelyStoredDomain);
but I can't find how the strings are stored securely. Am I right in
thinking that if you put plain text strings in here, that they'd be
passed in plain text across the network? How do you avoid the security
risk? Is SSL the only route? Or am I barking up the wrong tree?
* Yes, I know this is a bad idea but these users don't have time to log
on and off each time they use the shared workstations so we came to
this locked-down workstation compromise. 3 9743
I suggest you check out the following: http://msdn.microsoft.com/library/de...ebServices.asp
HTH
Ollie Riches
"ssg31415926" <ne**********@gmail.com> wrote in message
news:11*********************@g14g2000cwa.googlegro ups.com... I administer a Server 2003/XP network. A developer has come to me with a proposal to put in a web service-based application. The workstations will be XP and the servers 2003 but he can't use Integrated Windows authentication with the logged-on account because some of the workstations are shared and have a "department" account (with minimum access*), so the user will be signing in to the application. They all have Windows accounts which he wants to pass to the web service so that it can authenticate the user.
My concern is network security. He's looking at using System.Net.NetworkCredential to pass the account. I dabble in .NET myself so I had a look at MSDN. The example code starts with this:
NetworkCredential myCred = new NetworkCredential( SecurelyStoredUserName, SecurelyStoredPassword, SecurelyStoredDomain);
but I can't find how the strings are stored securely. Am I right in thinking that if you put plain text strings in here, that they'd be passed in plain text across the network? How do you avoid the security risk? Is SSL the only route? Or am I barking up the wrong tree?
* Yes, I know this is a bad idea but these users don't have time to log on and off each time they use the shared workstations so we came to this locked-down workstation compromise.
I shall. Thanks very much.
Half of the problem, I find, is knowing where to look!
SG
Hi,
Ask the developer to modify the code. Ask him to use 'new default
credentials' instead of 'new network crdentilal' . Hope this will solve the
problem and still send you the windows logged-in user credential to the web
service method
--
Prakash M
"ssg31415926" wrote: I administer a Server 2003/XP network. A developer has come to me with a proposal to put in a web service-based application. The workstations will be XP and the servers 2003 but he can't use Integrated Windows authentication with the logged-on account because some of the workstations are shared and have a "department" account (with minimum access*), so the user will be signing in to the application. They all have Windows accounts which he wants to pass to the web service so that it can authenticate the user.
My concern is network security. He's looking at using System.Net.NetworkCredential to pass the account. I dabble in .NET myself so I had a look at MSDN. The example code starts with this:
NetworkCredential myCred = new NetworkCredential( SecurelyStoredUserName, SecurelyStoredPassword, SecurelyStoredDomain);
but I can't find how the strings are stored securely. Am I right in thinking that if you put plain text strings in here, that they'd be passed in plain text across the network? How do you avoid the security risk? Is SSL the only route? Or am I barking up the wrong tree?
* Yes, I know this is a bad idea but these users don't have time to log on and off each time they use the shared workstations so we came to this locked-down workstation compromise.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: CLEAR-RCIC |
last post by:
Hello All,
I wrote a .dll that programatically maps two network drives and copies files
from one drive to the other. The .dll works fine when using an .exe to call
the .dll. When I call the...
|
by: Ron |
last post by:
Greetings,
below is a sample app for connecting to a mainframe server
using Sockets for the purpose of using FTP service to
interact with it from a PC. I got as far as creating the
connection....
|
by: jn148 |
last post by:
I administer three IIS6 servers for a large company where the
programmers are now requesting that we change the password for the
local aspnet user account on the server to a known password (no...
|
by: cmueller |
last post by:
Hey all -
I'm in a bit of a bind concerning web services and integrated
authentication. I'll give you a little background as to what I'm trying
to do ...
I have a client application that...
|
by: James |
last post by:
I succesfully pass username , domain and password via this function (taken
from MSDN)
Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal
lpszUsername As , _
ByVal lpszDomain As...
|
by: Howard |
last post by:
What is the default password for the network service account? I would like
to use this account for a windows service thats currently running under the
localsystem account.
I tried my admin...
|
by: dotis |
last post by:
I want to map a network drive (samba).
The point is that you have to input Username and Password to connect.
Every user has its unique username and password and whan type it , then go directly to...
|
by: webrod |
last post by:
Hi all,
how can I check a user/password in a LDAP ?
I don't want to connect with this user, I would like to connect to LDAP
with a ADMIN_LOG/ADMIN_PWD, then do a query to find the user and...
|
by: =?Utf-8?B?c3RhZ2VybGVp?= |
last post by:
We would like to change the password for the ASPNET account on our W2k3
servers running IIS 6.0 and .NET 1.1. Will we run into problems? Is there a
way to determine the current password, in case...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |