HighTechTalks DotNet Forums  

Client Cert Delegation to Web Service

Go Back HighTechTalks DotNet Forums Dotnet Dotnet Security Client Cert Delegation to Web Service

Dotnet Security microsoft.public.dotnet.security


Discuss Client Cert Delegation to Web Service in the Dotnet Security forum.



Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old   
hepsubah
 
Posts: n/a

Default Client Cert Delegation to Web Service - 08-29-2007 , 09:34 AM





I have some secure ASP.NET Web Services (which could become WCF
services) used to generate a secure ASP.NET page. Is there any way to
delegate (impersonate?) the client cert from the user accessing the
page to the secure service ?

Thanks in advance

Doug


Reply With Quote
  #2  
Old   
Dominick Baier
 
Posts: n/a

Default Re: Client Cert Delegation to Web Service - 08-29-2007 , 10:04 AM





IIS has a certificate mapping feature - this allows to map the certificate
to a Windows account (i can't remember if this gives you an impersonatable
token - Joe?).

You could also use protocol transition to do this - but this requires a domain.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Quote:
I have some secure ASP.NET Web Services (which could become WCF
services) used to generate a secure ASP.NET page. Is there any way to
delegate (impersonate?) the client cert from the user accessing the
page to the secure service ?

Thanks in advance

Doug



Reply With Quote
  #3  
Old   
Dominick Baier
 
Posts: n/a

Default Re: Client Cert Delegation to Web Service - 08-29-2007 , 10:04 AM


IIS has a certificate mapping feature - this allows to map the certificate
to a Windows account (i can't remember if this gives you an impersonatable
token - Joe?).

You could also use protocol transition to do this - but this requires a domain.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Quote:
I have some secure ASP.NET Web Services (which could become WCF
services) used to generate a secure ASP.NET page. Is there any way to
delegate (impersonate?) the client cert from the user accessing the
page to the secure service ?

Thanks in advance

Doug



Reply With Quote
  #4  
Old   
Joe Kaplan
 
Posts: n/a

Default Re: Client Cert Delegation to Web Service - 08-29-2007 , 10:36 AM


Yes, the certificate mapping does give you an impersonatable token and if
you use protocol transition (S4U), it should be then possible to delegate
the impersonated security context to the web service via Kerberos
delegation.

As I said before, you can't actually delegate the client certificate SSL
handshake itself since you don't have the private key, but the Kerberos
delegation approach can be made to work.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com> wrote in
message news:8e6a913a156f38c9b8650bb461d5 (AT) news (DOT) microsoft.com...
Quote:
IIS has a certificate mapping feature - this allows to map the certificate
to a Windows account (i can't remember if this gives you an impersonatable
token - Joe?).

You could also use protocol transition to do this - but this requires a
domain.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

I have some secure ASP.NET Web Services (which could become WCF
services) used to generate a secure ASP.NET page. Is there any way to
delegate (impersonate?) the client cert from the user accessing the
page to the secure service ?

Thanks in advance

Doug



Reply With Quote
  #5  
Old   
Joe Kaplan
 
Posts: n/a

Default Re: Client Cert Delegation to Web Service - 08-29-2007 , 10:36 AM


Yes, the certificate mapping does give you an impersonatable token and if
you use protocol transition (S4U), it should be then possible to delegate
the impersonated security context to the web service via Kerberos
delegation.

As I said before, you can't actually delegate the client certificate SSL
handshake itself since you don't have the private key, but the Kerberos
delegation approach can be made to work.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com> wrote in
message news:8e6a913a156f38c9b8650bb461d5 (AT) news (DOT) microsoft.com...
Quote:
IIS has a certificate mapping feature - this allows to map the certificate
to a Windows account (i can't remember if this gives you an impersonatable
token - Joe?).

You could also use protocol transition to do this - but this requires a
domain.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

I have some secure ASP.NET Web Services (which could become WCF
services) used to generate a secure ASP.NET page. Is there any way to
delegate (impersonate?) the client cert from the user accessing the
page to the secure service ?

Thanks in advance

Doug



Reply With Quote
Reply

« Previous Thread | Next Thread »



Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.


Contact Us - HighTechTalks DotNet Forums - Archive - Top