Sign in
 
Windows Azure Platform Developer Center > Azure Forums > AppFabric > .Net Services Security Primer
Ask a questionAsk a question
Search Forums:
 

Question.Net Services Security Primer

  • Monday, October 19, 2009 8:23 PMYort Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi,

    Can anybody suggest a link to a primer on security for .Net Services ? I'm interested in a comparison between the different security models (user name & password, certificates, card space etc). For example, if we use certificates can we use self issued/signed certs or do we have to buy from the likes of Verisign ? If we use card space for authentication with our services, can non .Net third parties (PHP for example) still consume our services ? What are the relative pros and cons of each mechanism, and how hard is each to implement ?

    I'm very new to this sort of security, and to the whole 'federation' thing and am looking for somewhere to start.

    Thanks.
     

All Replies

  • Tuesday, October 20, 2009 7:57 AMYi-Lun LuoMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    1
    Sign In to Vote
    Hello, if you're using ACS to protect Service Bus, you don't need to worry about how the client was authenticated. You just need to know who the client is, so whether he has access to your service or not. Whatever way the client chooses to authenticate (username/password, certificate, cardspace), they will all be translated to the username claim by ACS, and passed to your service.

    You can not control how a client authenticates itself. You can only control whether you need the client to be authenticated or not, through the RelayClientAuthenticationType property. Service will have to be authenticated. But if a service is authenticated using cardspace, a client can still authenticate itself using username/password. So the service is still interoprable.

    If the client uses certificate, both self-signed and real certificates will work.
    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
     
  • Tuesday, October 20, 2009 8:24 PMYort Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Thank you that answer. A couple of follow up questions if you don't mind;

    You said both self-signed and 'real' certificates work, which is great, but I think I read something somewhere that said self-signed certs will only work during CTP/Beta ? Do you know if that is correct or not ?

    Also, if I don't setup any user name and passwords in my (Azure/portal) solution then it seems the client cannot authenticate that way as there is nothing to match against in the ACS ? Same with certificates... if my solution doesn't reference any certificates, then clients can't authenticate with one ?

     
  • Monday, November 23, 2009 11:48 PMArnab Ghosh - MSFT Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    1
    Sign In to Vote
    Yort, the security model for using ServiceBus has changed with the Nov 2009 CTP release. For a primer on it pls. use http://msdn.microsoft.com/en-us/library/dd582773.aspx

    -Arnab. 
     
  • Tuesday, November 24, 2009 2:00 AMYort Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Thanks heaps for that link, I'll read it shortly.