none
asmx web service security and digest authentication RRS feed

  • Question

  • WebServiceDemo

    namespace WebServiceDemo
    {
        /// <summary>
        /// Summary description for WebService1
        /// </summary>
        [WebService(Namespace = "http://tempuri.org/")]
        [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
        [System.ComponentModel.ToolboxItem(false)]
        // To allow this Web Service to be called from script, using ASP.NET AJAX, uncomment the following line. 
        // [System.Web.Script.Services.ScriptService]
        public class WebService1 : System.Web.Services.WebService
        {
    
            [WebMethod]
            public string HelloWorld()
            {
                return "Hello World";
            }
    
            [WebMethod]
            public string ReverseString(string s)
            {
                System.Threading.Thread.Sleep(5000);
                char[] a = s.ToCharArray();
                Array.Reverse(a);
                return new string(a);
            }
        }
    }

    WebServiceClient

    namespace WebServiceClient
    {
        class Program
        {
            static void Main(string[] args)
            {
                TestWebService.WebService1 p = new TestWebService.WebService1();
    
                CredentialCache credentialCache = new CredentialCache();
    
                var username = @"username";
                var pwd = @"password";
                var domain = @"domain";
                // Create a new instance of NetworkCredential using the client
                // credentials.
                NetworkCredential credentials = new
                   NetworkCredential(username, pwd, domain);
    
                // Add the NetworkCredential to the CredentialCache.
                credentialCache.Add(new Uri(p.Url),
                                    "Digest", credentials);
    
                p.Credentials = credentialCache;
    
                Console.WriteLine(p.HelloWorld());
            }
        }
    }

    just see the service side and must notice user credentials validation code is not there. so tell me how user credentials is validated in digest auth ?

    please guide me. thanks

    Monday, November 28, 2016 12:23 PM

Answers

  • Hi Mou_inn,

    >> just see the service side and must notice user credentials validation code is not there. so tell me how user credentials is validated in digest auth ?

    I assume you have hosted your web service in IIS, and you have configured your web service with Digest Authentication Enabled. If so, digest authentication will be validated by IIS.

    When a client attempts to access a resource requiring Digest authentication, IIS send a challenge to the client to create a digest and send it to the server. The client concatenates the password with data known to both the server and the client. The client then applies a digest algorithm (specified by the server) to the combined data. The client sends the resulting digest to the server as the response to the challenge. The server uses the same process as the client to create a digest using a copy of the client's password it obtains from Active Directory, where the password is stored using reversible encryption. If the digest created by the server matches the digest created by the client, IIS authenticates the client. IIS uses a subauthentication DLL (iissuba.dll) to authenticate the user, resulting in a network logon.

    I suggest you refer the link below for more information.

    # Digest

    https://msdn.microsoft.com/en-us/library/aa292114(v=vs.71).aspx

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Sudip_inn Friday, December 2, 2016 2:17 PM
    Tuesday, November 29, 2016 3:02 AM
  • Hi Mou_inn,

    >> HOW IIS can grab the credentials and validate user against window AD

    As above link, IIS uses a subauthentication DLL(iissuba.dll) to authenticate the user, resulting in a network logon. I try to find deeper description about iissuba.dll, but there is nothing, I am afraid it is not open source.

    >> if user credentials is invalid then how proper error message will be send to client side ?

    You will get an error “HTTP/1.1 401 Unauthorized”.

    In my option, I would suggest you focus on how to achieve Digest at client side, for server side authentication, it is achieved by IIS, and you just need to configure your service on IIS with Digest Authentication enabled.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, November 30, 2016 1:55 AM

All replies

  • Hi Mou_inn,

    >> just see the service side and must notice user credentials validation code is not there. so tell me how user credentials is validated in digest auth ?

    I assume you have hosted your web service in IIS, and you have configured your web service with Digest Authentication Enabled. If so, digest authentication will be validated by IIS.

    When a client attempts to access a resource requiring Digest authentication, IIS send a challenge to the client to create a digest and send it to the server. The client concatenates the password with data known to both the server and the client. The client then applies a digest algorithm (specified by the server) to the combined data. The client sends the resulting digest to the server as the response to the challenge. The server uses the same process as the client to create a digest using a copy of the client's password it obtains from Active Directory, where the password is stored using reversible encryption. If the digest created by the server matches the digest created by the client, IIS authenticates the client. IIS uses a subauthentication DLL (iissuba.dll) to authenticate the user, resulting in a network logon.

    I suggest you refer the link below for more information.

    # Digest

    https://msdn.microsoft.com/en-us/library/aa292114(v=vs.71).aspx

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Sudip_inn Friday, December 2, 2016 2:17 PM
    Tuesday, November 29, 2016 3:02 AM
  • i just try to say if u look server side code then u must notice service side code is not authenticate user with credentials client send to server side

    var username = @"username";
                var pwd = @"password";
                var domain = @"domain";
                // Create a new instance of NetworkCredential using the client
                // credentials.
                NetworkCredential credentials = new
                   NetworkCredential(username, pwd, domain);
    
                // Add the NetworkCredential to the CredentialCache.
                credentialCache.Add(new Uri(p.Url),
                                    "Digest", credentials);

    my question is HOW IIS can grab the credentials and validate user against window AD and if user credentials is invalid then how proper error message will be send to client side ?

    Tuesday, November 29, 2016 10:00 AM
  • Hi Mou_inn,

    >> HOW IIS can grab the credentials and validate user against window AD

    As above link, IIS uses a subauthentication DLL(iissuba.dll) to authenticate the user, resulting in a network logon. I try to find deeper description about iissuba.dll, but there is nothing, I am afraid it is not open source.

    >> if user credentials is invalid then how proper error message will be send to client side ?

    You will get an error “HTTP/1.1 401 Unauthorized”.

    In my option, I would suggest you focus on how to achieve Digest at client side, for server side authentication, it is achieved by IIS, and you just need to configure your service on IIS with Digest Authentication enabled.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, November 30, 2016 1:55 AM
  • u said : The client then applies a digest algorithm (specified by the server) to the combined data.

    see the above code and there is no specific code for digest algorithm.

    are u trying to mean this line

    credentialCache.Add(new Uri(p.Url),"Digest", credentials);
                                    
    

    the word digest will add digest algorithm ?

    please guide. thanks

    Friday, December 2, 2016 2:18 PM
  • Hi Mou_inn,

    >> the word digest will add digest algorithm ?

    Digest will tell client to use digest authentication, and it applies a hash function to the username and password before sending them over the network.

    You could refer the link below for more information.

    # Digest access authentication

    https://en.wikipedia.org/wiki/Digest_access_authentication

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, December 6, 2016 7:28 AM