none
How to secure ASMX proxy creation RRS feed

  • Question

  • suppose this is my sample proxy creation url http://localhost:52662/Test1.asmx

    if any one know this then he can generate proxy class from their VS IDE. so tell me what options available to secure the above url as a result unknown person can not create proxy even if they know the url.

    do i need to turn on digest auth in iis because if i turn on digest auth then when anyone try to access the above url to create proxy then win auth dialog box will come and ask for credentials. unknown user will not be able to feed user name because they wont know the valid credentials of windows domain where service is hosted.

    so now question is how a client can create a proxy? i guess in this scenario i have to supply wsdl file to client over mail.

    so just tell me my thinking is right to secure asmx proxy to use digest auth.

    Friday, December 30, 2016 12:42 PM

Answers

  • Hi Mou_inn,

    >> just tell me my thinking is right to secure asmx proxy to use digest auth

    Yes, you are right. If you want to secure proxy creation url, you could use digest auth which is built-in authentication function in IIS.

    >> now question is how a client can create a proxy?

    You could supply wsdl file to client. Or, client could generate proxy class from VS IDE which will alert them to enter UserName and Password when them Add Web Reference from VS.

    Note, when adding Service reference from VS, you will need to enter UserName and password multiple times.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, January 2, 2017 4:37 AM
  • Hi Mou_inn,

    >> please include a good tutorial which guide me how to use HttpTokens to protect proxy creation for unknown client.

    What do you mean by “HttpTokens”? For this new issue, I would suggest you post a new thread for this issue.

    >> when client need to enter UserName and password multiple times ?

    As my test, it does. I think you could try it to check the result.

    >> domain name will be checked by digest auth if yes then unknown client may not be able to create proxy even after entering right credentials.

    No, unknown client will be able to create proxy with valid credentials.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Sudip_inn Friday, January 13, 2017 8:25 AM
    Wednesday, January 11, 2017 6:38 AM
  • Hi Mou_inn,

    >>it means digest auth just check user id and pwd against windows active directory. am i right ?

    Yes, you are right.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Sudip_inn Tuesday, January 17, 2017 11:35 AM
    Tuesday, January 17, 2017 5:19 AM

All replies

  • How a client can create a Proxy : If they have the Service URL, they should be able to create the Proxy.

    If Clients also using Visual Studio, If they could right click on the solution they will be able to see this

    ADD > Service Reference/Web Reference.  This will create the Proxy.

    In my experience we used HttpTokens, Certificates and user credentials with services.

    May you could check this link on Digest Authentication

    https://msdn.microsoft.com/en-us/library/ms996415.aspx

    Hope this helps.

    Friday, December 30, 2016 2:51 PM
  • Hi Mou_inn,

    >> just tell me my thinking is right to secure asmx proxy to use digest auth

    Yes, you are right. If you want to secure proxy creation url, you could use digest auth which is built-in authentication function in IIS.

    >> now question is how a client can create a proxy?

    You could supply wsdl file to client. Or, client could generate proxy class from VS IDE which will alert them to enter UserName and Password when them Add Web Reference from VS.

    Note, when adding Service reference from VS, you will need to enter UserName and password multiple times.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, January 2, 2017 4:37 AM
  • please include a good tutorial which guide me how to use HttpTokens to protect proxy creation for unknown client. thanks
    Tuesday, January 10, 2017 9:03 AM
  • you said - Note, when adding Service reference from VS, you will need to enter UserName and password multiple times.

    when client need to enter UserName and password multiple times ?

    if client from other country some how enter a valid user name and pwd then they will be able to create proxy ?

    domain name will be checked by digest auth if yes then unknown client may not be able to create proxy even after entering right credentials. please share your thoughts. thanks


    Tuesday, January 10, 2017 9:05 AM
  • Hi Mou_inn,

    >> please include a good tutorial which guide me how to use HttpTokens to protect proxy creation for unknown client.

    What do you mean by “HttpTokens”? For this new issue, I would suggest you post a new thread for this issue.

    >> when client need to enter UserName and password multiple times ?

    As my test, it does. I think you could try it to check the result.

    >> domain name will be checked by digest auth if yes then unknown client may not be able to create proxy even after entering right credentials.

    No, unknown client will be able to create proxy with valid credentials.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Sudip_inn Friday, January 13, 2017 8:25 AM
    Wednesday, January 11, 2017 6:38 AM
  • i assume and said -

    >> domain name will be checked by digest auth if yes then unknown client may not be able to create proxy even after entering right credentials.

    and you said :- No, unknown client will be able to create proxy with valid credentials.

    it means digest auth just check user id and pwd against windows active directory. am i right ?


    Friday, January 13, 2017 8:26 AM
  • Hi Mou_inn,

    >>it means digest auth just check user id and pwd against windows active directory. am i right ?

    Yes, you are right.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Sudip_inn Tuesday, January 17, 2017 11:35 AM
    Tuesday, January 17, 2017 5:19 AM