Web server Busy Problem

hi,
I have an application that connect to another server when the user
press
a button but the problem is that if the user clicked the button many
times
and error page
" There are too many people accessing the Web site at this time. "

so i want a way to work around it so the user can't click the button
twice before IIS finish executing the first time code postback.

thanx,hi,
I meant to say that i want a way to let the user of a web application
press the button only one time before the request return back(the
process of postback take around 10 seconds). with in 10 seconds i don't
want the user to press the button again.
I thing you are fixing the thing that is not broken.

This message happens on IIS development version which comes with Windows XP
or Win2000 workstation.

Once you move your application to Windows Server edition you will not have
that problem.

George.

"Octopus0" <ahmadbsher@.gmail.com> wrote in message
news:1144049233.021016.107170@.i40g2000cwc.googlegr oups.com...
> hi,
> I have an application that connect to another server when the user
> press
> a button but the problem is that if the user clicked the button many
> times
> and error page
> " There are too many people accessing the Web site at this time. "
> so i want a way to work around it so the user can't click the button
> twice before IIS finish executing the first time code postback.
>
> thanx,

Web server Busy Problem

hi,
I have an application that connect to another server when the user
press
a button but the problem is that if the user clicked the button many
times
and error page
" There are too many people accessing the Web site at this time. "
so i want a way to work around it so the user can't click the button
twice before IIS finish executing the first time code postback.
thanx,hi,
I meant to say that i want a way to let the user of a web application
press the button only one time before the request return back(the
process of postback take around 10 seconds). with in 10 seconds i don't
want the user to press the button again.
I thing you are fixing the thing that is not broken.
This message happens on IIS development version which comes with Windows XP
or Win2000 workstation.
Once you move your application to Windows Server edition you will not have
that problem.
George.
"Octopus0" <ahmadbsher@.gmail.com> wrote in message
news:1144049233.021016.107170@.i40g2000cwc.googlegroups.com...
> hi,
> I have an application that connect to another server when the user
> press
> a button but the problem is that if the user clicked the button many
> times
> and error page
> " There are too many people accessing the Web site at this time. "
> so i want a way to work around it so the user can't click the button
> twice before IIS finish executing the first time code postback.
>
> thanx,
>

Web Service - get remote machine/network parameters

I know that writing ASPX app we easily can get all required information
about remote machine and network right from the user's browser using this
request:

NameValueCollection coll = Request.ServerVariables;

But what if we write a Web Service? What can we do in this case? How can we
get the remote machine IP and the HostName for example? Do we have any way
that can be used from the Web Service for that? I know that I probably can
get the same info at the remote machine and send it to the Web Service for
logging, but actually it's always easy, because some of the clients are
working from their LANs and the real IP exposed by their Internet Providers
is hard to be received.

The question - how can we get a reliable information about remote network,
user, machine, etc?

Just D.What if you try:

HttpContext.Current.Request.ServerVariables.ToStri ng();

Does that work?

Kind regards,
Nikander & Margriet Bruggeman

"Just D." wrote:

> I know that writing ASPX app we easily can get all required information
> about remote machine and network right from the user's browser using this
> request:
> NameValueCollection coll = Request.ServerVariables;
> But what if we write a Web Service? What can we do in this case? How can we
> get the remote machine IP and the HostName for example? Do we have any way
> that can be used from the Web Service for that? I know that I probably can
> get the same info at the remote machine and send it to the Web Service for
> logging, but actually it's always easy, because some of the clients are
> working from their LANs and the real IP exposed by their Internet Providers
> is hard to be received.
> The question - how can we get a reliable information about remote network,
> user, machine, etc?
> Just D.
>
>
yeah it will work definately...

From http://www.google.co.in/search?hl=en&q="HttpContext.Current.Request.ServerVariables().tost ring"&btnG=Search&meta=

Posted via DevelopmentNow.com Groups
http://www.developmentnow.com
yeah it will work definately...

From http://www.google.co.in/search?hl=en&q="HttpContext.Current.Request.ServerVariables().tost ring"&btnG=Search&meta=

Posted via DevelopmentNow.com Groups
http://www.developmentnow.com

Web Service - get remote machine/network parameters

I know that writing ASPX app we easily can get all required information
about remote machine and network right from the user's browser using this
request:
NameValueCollection coll = Request.ServerVariables;
But what if we write a Web Service? What can we do in this case? How can we
get the remote machine IP and the HostName for example? Do we have any way
that can be used from the Web Service for that? I know that I probably can
get the same info at the remote machine and send it to the Web Service for
logging, but actually it's always easy, because some of the clients are
working from their LANs and the real IP exposed by their Internet Providers
is hard to be received.
The question - how can we get a reliable information about remote network,
user, machine, etc?
Just D.What if you try:
HttpContext.Current.Request.ServerVariables.ToString();
Does that work?
Kind regards,
Nikander & Margriet Bruggeman
"Just D." wrote:

> I know that writing ASPX app we easily can get all required information
> about remote machine and network right from the user's browser using this
> request:
> NameValueCollection coll = Request.ServerVariables;
> But what if we write a Web Service? What can we do in this case? How can w
e
> get the remote machine IP and the HostName for example? Do we have any way
> that can be used from the Web Service for that? I know that I probably can
> get the same info at the remote machine and send it to the Web Service for
> logging, but actually it's always easy, because some of the clients are
> working from their LANs and the real IP exposed by their Internet Provider
s
> is hard to be received.
> The question - how can we get a reliable information about remote network,
> user, machine, etc?
> Just D.
>
>
>

web service 401 unauthorized

I am using Avanade ACA web services which I guess uses .net web
services under the wraps. My requirement is use windows authentication
and allow user identity to pass thru to the web service and then to a
database.
I have two websites in the same box - one is the UI and other is the
webservices. It works when I have anonymous clicked on in the
webservices but it does not work when I switch this off and windows
authentication on. It throws the exception - system.net.webexception
401 Unathorrized.
I have tried using
<system.net>
<defaultProxy useDefaultCredentials="true">
<system.net>
in the web services but with no success. I have also given all
permissions to the Network Service (default app pool identity) for the
file system for the web site.
Now this looks like a common problem with .net web services and I am
not sure what else I can try.
Anyone done this before or have some idea?
Thanks in advance
Kishana Webservice method call simply transmits a SOAP envelope; no windows
credentials are included. So using Windows authentication in the IIS without
some sort of mechanism to transmit credentials as one would get with a norma
l
browser request that knows how to reply to the www-authenticate challenge is
not going to work.
-- Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short Urls & more: http://ittyurl.net
"kishan.bisht@.gmail.com" wrote:

> I am using Avanade ACA web services which I guess uses .net web
> services under the wraps. My requirement is use windows authentication
> and allow user identity to pass thru to the web service and then to a
> database.
> I have two websites in the same box - one is the UI and other is the
> webservices. It works when I have anonymous clicked on in the
> webservices but it does not work when I switch this off and windows
> authentication on. It throws the exception - system.net.webexception
> 401 Unathorrized.
> I have tried using
> <system.net>
> <defaultProxy useDefaultCredentials="true">
> <system.net>
> in the web services but with no success. I have also given all
> permissions to the Network Service (default app pool identity) for the
> file system for the web site.
> Now this looks like a common problem with .net web services and I am
> not sure what else I can try.
> Anyone done this before or have some idea?
> Thanks in advance
> Kishan
>
On Mar 20, 12:46=A0am, Peter Bromberg [C# MVP]
<pbromb...@.yahoo.NoSpamMaam.com> wrote:
> a Webservice method call simply transmits a SOAP envelope; no windows
> credentials are included. So using Windows authentication in the IIS witho=[/color
]
ut
> some sort of mechanism to transmit credentials as one would get with a nor=[/color
]
mal
> browser request that knows how to reply to the www-authenticate challenge =[/color
]
is
> not going to work.
> -- Peter
> Site:http://www.eggheadcafe.com
> UnBlog:http://petesbloggerama.blogspot.com
> Short Urls & more:http://ittyurl.net
>
> "kishan.bi...@.gmail.com" wrote:
>
>
>
>
>
>
>
> - Show quoted text -
Thanks Peter.
So that means if I need to invoke web services programmatically from
the asp.net I will have to explicitly set user credentials on the SOAP
header.
Is there something built into the framework to do that?
Kishan

Web service Impersonatation?

When I set up impersonation in the web.config file and specify a user and
password I get strange results. This line of code will get me the user
account I set to impersonate:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
This line of code will get me my user account ever time:
System.Threading.Thread.CurrentPrincipal.Identity.Name
What's the difference? shouldn't they both be the user I am trying to
impersonate?
Thanks
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @dotnet.itags.org. h o t m a i l . c o mFrank,
No, they should not. When you impersonate through the WindowsIdentity
object, it does not change the current principal on the thread. The reason
for this is that you can have different implementations of IPrincipal which
don't necessarily map to windows users and groups. To that end, having
WindowsIdentity change the current thread's principal would be wrong.
Hope this helps.
- Nicholas Paldino [.NET/C# MVP]
- mvp@.spam.guard.caspershouse.com
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
> When I set up impersonation in the web.config file and specify a user and
> password I get strange results. This line of code will get me the user
> account I set to impersonate:
> System.Security.Principal.WindowsIdentity.GetCurrent().Name
> This line of code will get me my user account ever time:
> System.Threading.Thread.CurrentPrincipal.Identity.Name
> What's the difference? shouldn't they both be the user I am trying to
> impersonate?
> Thanks
>
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
>
Thanks Nicholas,
But how do you know which Principal is being used by your code. Lets say I
have a routine that writes a file to the local directory, how do I ensure
that code is using my impersonated users rights?
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @. h o t m a i l . c o m
"Nicholas Paldino [.NET/C# MVP]" <mvp@.spam.guard.caspershouse.com> wrote in
message news:%23GhWBSH3EHA.2676@.TK2MSFTNGP12.phx.gbl...
> Frank,
> No, they should not. When you impersonate through the WindowsIdentity
> object, it does not change the current principal on the thread. The
reason
> for this is that you can have different implementations of IPrincipal
which
> don't necessarily map to windows users and groups. To that end, having
> WindowsIdentity change the current thread's principal would be wrong.
> Hope this helps.
>
> --
> - Nicholas Paldino [.NET/C# MVP]
> - mvp@.spam.guard.caspershouse.com
> "Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
> news:41b5cf8c$1_2@.mcse.ms...
and
>
is your server trusted for delegation?
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
> When I set up impersonation in the web.config file and specify a user and
> password I get strange results. This line of code will get me the user
> account I set to impersonate:
> System.Security.Principal.WindowsIdentity.GetCurrent().Name
> This line of code will get me my user account ever time:
> System.Threading.Thread.CurrentPrincipal.Identity.Name
> What's the difference? shouldn't they both be the user I am trying to
> impersonate?
> Thanks
>
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
>
Frank,
The code will use the rights of whomever the thread is currently running
under. If you always want to base this on the Windows identity, you can
call the static GetCurrent method on the WindowsIdentity type, passing true
for the ifImpersonating parameter.
- Nicholas Paldino [.NET/C# MVP]
- mvp@.spam.guard.caspershouse.com
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5d307$1_1@.mcse.ms...
> Thanks Nicholas,
> But how do you know which Principal is being used by your code. Lets say
> I
> have a routine that writes a file to the local directory, how do I ensure
> that code is using my impersonated users rights?
> --
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
> "Nicholas Paldino [.NET/C# MVP]" <mvp@.spam.guard.caspershouse.com> wrote
> in
> message news:%23GhWBSH3EHA.2676@.TK2MSFTNGP12.phx.gbl...
> reason
> which
> and
>
asp.net seperates the thread identity from the authenicated user identity.
when the user is authenicated (not anonymous), your have three options:
1) the thread runs as the asp.net account (default)
2) the thread impersonates the authenication account (must use windows
authenication). set impersonate=true in web config
3) the thread impersonates the account specified in the web config.
you picked the third option, so the CurrentPrincipal is the authenicated
account and WindowsIdentity is the thread identity.
note: CurrentPrincipal is a WindowsIdentity only if windows authenication is
used.
-- bruce (sqlwork.com)
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5cf8c$1_2@.mcse.ms...
| When I set up impersonation in the web.config file and specify a user and
| password I get strange results. This line of code will get me the user
| account I set to impersonate:
| System.Security.Principal.WindowsIdentity.GetCurrent().Name
|
| This line of code will get me my user account ever time:
|
| System.Threading.Thread.CurrentPrincipal.Identity.Name
|
| What's the difference? shouldn't they both be the user I am trying to
| impersonate?
|
| Thanks
|
|
| Frank Wisniewski MCSE 4.0, MCP+I, A+
| f p w 2 3 @. h o t m a i l . c o m
|
|
I am running it from my local machine which is part of the domain, is that
what you are asking?
Frank Wisniewski MCSE 4.0, MCP+I, A+
f p w 2 3 @. h o t m a i l . c o m
"Consultant" <consultant_mcngp@.yahoodotcom> wrote in message
news:%23KRylVH3EHA.1152@.TK2MSFTNGP14.phx.gbl...
> is your server trusted for delegation?
> "Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
> news:41b5cf8c$1_2@.mcse.ms...
and
>
no, in order for impersonation to work, the server must be trusted for
delegation within active directory
"Frank Wisniewski" <fpw23@.hotmail.com> wrote in message
news:41b5f9bd_1@.mcse.ms...
>I am running it from my local machine which is part of the domain, is that
> what you are asking?
> --
> Frank Wisniewski MCSE 4.0, MCP+I, A+
> f p w 2 3 @. h o t m a i l . c o m
> "Consultant" <consultant_mcngp@.yahoodotcom> wrote in message
> news:%23KRylVH3EHA.1152@.TK2MSFTNGP14.phx.gbl...
> and
>

Web Service Session trouble :(

hi guys,
I've a couple of web services.
The first one authenticates a user, and saves the principal in the session
object.
The second one authorizes after reading the user data from the session.
Up to now, those two worked wonderfully, and we've had no problems with
them. but now, we're using NUnit to build some tests for the services, and a
C# class as the test. It first makes a call to the login service (which
succeeds) and then to the other service, which fails because there is no
current user principal in the session !
I though it was because the two service stubs were in different namespaces.
But I can't help that, VS.NET won't let you add two web references with the
same namespace name.
Does anybody know what might be going on here ?
Cheers,
Angel
O:]Angelos Karantzalis wrote:
> hi guys,
> I've a couple of web services.
> The first one authenticates a user, and saves the principal in the
> session object.
> The second one authorizes after reading the user data from the
> session.
> Up to now, those two worked wonderfully, and we've had no problems
> with them. but now, we're using NUnit to build some tests for the
> services, and a C# class as the test. It first makes a call to the
> login service (which succeeds) and then to the other service, which
> fails because there is no current user principal in the session !
> I though it was because the two service stubs were in different
> namespaces. But I can't help that, VS.NET won't let you add two web
> references with the same namespace name.
> Does anybody know what might be going on here ?
> Cheers,
> Angel
> O:]
Sessions work with cookies. Usually when you call a webservice from
some client, cookies are ignored!
You need to add a place to store those cookies: a CookieContainer.
First create one, then add it to the webservice calls that should work
with the same session.
Hans Kesting
i assume the web services are in the same vdir, if this is true, then
sessions will be shared - namespace does not matter.
you will also have to add support for the session cookie to your nunit code.
as the unit tests run in seperate domain, you will also need some way to
pass the session id from call1 to call2 (globals will not work)
you might want to have a predefined session id used by unit tests, then the
second caller can call a mocker of the authenication call to get the test
session id.
unless you are writing an acceptance test, i would not use the web service.
I would have unit tests call the modules directly, and supply a mocker for
the web service proxy.
-- bruce (sqlwork.com)
"Angelos Karantzalis" <akarantzalis@.yahoo.com> wrote in message
news:uS5ON4mxEHA.3572@.TK2MSFTNGP10.phx.gbl...
| hi guys,
|
| I've a couple of web services.
|
| The first one authenticates a user, and saves the principal in the session
| object.
| The second one authorizes after reading the user data from the session.
|
| Up to now, those two worked wonderfully, and we've had no problems with
| them. but now, we're using NUnit to build some tests for the services, and
a
| C# class as the test. It first makes a call to the login service (which
| succeeds) and then to the other service, which fails because there is no
| current user principal in the session !
|
| I though it was because the two service stubs were in different
namespaces.
| But I can't help that, VS.NET won't let you add two web references with
the
| same namespace name.
|
| Does anybody know what might be going on here ?
|
| Cheers,
| Angel
| O:]
|
|
> Sessions work with cookies. Usually when you call a webservice from
> some client, cookies are ignored!
> You need to add a place to store those cookies: a CookieContainer.
> First create one, then add it to the webservice calls that should work
> with the same session.
> Hans Kesting
>
Thanks Hans, that more or less what I'd figured. Could you point me to some
info on how to add a CookieContainer to the web service stubs ?
Cheers,
Angel
O;]

Web Service Session trouble :(

hi guys,

I've a couple of web services.

The first one authenticates a user, and saves the principal in the session
object.
The second one authorizes after reading the user data from the session.

Up to now, those two worked wonderfully, and we've had no problems with
them. but now, we're using NUnit to build some tests for the services, and a
C# class as the test. It first makes a call to the login service (which
succeeds) and then to the other service, which fails because there is no
current user principal in the session !

I though it was because the two service stubs were in different namespaces.
But I can't help that, VS.NET won't let you add two web references with the
same namespace name.

Does anybody know what might be going on here ?

Cheers,
Angel
O:]Angelos Karantzalis wrote:
> hi guys,
> I've a couple of web services.
> The first one authenticates a user, and saves the principal in the
> session object.
> The second one authorizes after reading the user data from the
> session.
> Up to now, those two worked wonderfully, and we've had no problems
> with them. but now, we're using NUnit to build some tests for the
> services, and a C# class as the test. It first makes a call to the
> login service (which succeeds) and then to the other service, which
> fails because there is no current user principal in the session !
> I though it was because the two service stubs were in different
> namespaces. But I can't help that, VS.NET won't let you add two web
> references with the same namespace name.
> Does anybody know what might be going on here ?
> Cheers,
> Angel
> O:]

Sessions work with cookies. Usually when you call a webservice from
some client, cookies are ignored!
You need to add a place to store those cookies: a CookieContainer.
First create one, then add it to the webservice calls that should work
with the same session.

Hans Kesting
i assume the web services are in the same vdir, if this is true, then
sessions will be shared - namespace does not matter.

you will also have to add support for the session cookie to your nunit code.
as the unit tests run in seperate domain, you will also need some way to
pass the session id from call1 to call2 (globals will not work)

you might want to have a predefined session id used by unit tests, then the
second caller can call a mocker of the authenication call to get the test
session id.

unless you are writing an acceptance test, i would not use the web service.
I would have unit tests call the modules directly, and supply a mocker for
the web service proxy.

-- bruce (sqlwork.com)

"Angelos Karantzalis" <akarantzalis@.yahoo.com> wrote in message
news:uS5ON4mxEHA.3572@.TK2MSFTNGP10.phx.gbl...
| hi guys,
|
| I've a couple of web services.
|
| The first one authenticates a user, and saves the principal in the session
| object.
| The second one authorizes after reading the user data from the session.
|
| Up to now, those two worked wonderfully, and we've had no problems with
| them. but now, we're using NUnit to build some tests for the services, and
a
| C# class as the test. It first makes a call to the login service (which
| succeeds) and then to the other service, which fails because there is no
| current user principal in the session !
|
| I though it was because the two service stubs were in different
namespaces.
| But I can't help that, VS.NET won't let you add two web references with
the
| same namespace name.
|
| Does anybody know what might be going on here ?
|
| Cheers,
| Angel
| O:]
|
|
> Sessions work with cookies. Usually when you call a webservice from
> some client, cookies are ignored!
> You need to add a place to store those cookies: a CookieContainer.
> First create one, then add it to the webservice calls that should work
> with the same session.
> Hans Kesting

Thanks Hans, that more or less what I'd figured. Could you point me to some
info on how to add a CookieContainer to the web service stubs ?

Cheers,
Angel
O;]

Web Services

I need to write a webservice that will return user profile information. The information I need back is first name, last name, ID number. Where can I find some sample code?

Thanks

bthumber

Check out these links:

http://aspnet.4guysfromrolla.com/articles/062602-1.aspx

samples.gotdotnet.com/quickstart/aspplus/doc/webservicesintro.aspx

Hope this helps,

Vivek

Web services and security

I want to make a security system in my webservice similar to the one that
reporting services uses it has a logon user and logoff user web method...
when you log on it logs you into a session and maintains your logged in
status until you log off or timeout... I dont want to have to pass
username/pass back and forth each time I call a method... I want to use
sessions and I need a custom authentication and authorization method for our
service (its how we defined it to work) how would you go about doing this?
In reporting services it uses a web service to do it in this order

Connect to web service with no IIS authentication
Log into Web service via a public webmethod called LogonUser
Webservice consumer has a cookier container and credentials set to
CrentialCache.DefaultNetworkCredentials

user logs on, all web methods now run as that user until user timesout or
calls LogOffUser

any ideas on how to do this? its basically like forms authentication just in
a web service and no login form... thanks!A better option is to use WSE 3.0 (WS-Security). You can attach an 509
certificate, which will be more secure, and have less overhead, than adding
a session to the web service. It is also standards based, which allows you
to dupe the methodology for systems that have to be contacted from Java
(example).

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com
*********************************************
Think outside the box!
*********************************************
"Smokey Grindle" <nospam@.dontspamme.comwrote in message
news:u0KT49bhHHA.4064@.TK2MSFTNGP03.phx.gbl...

Quote:

Originally Posted by

>I want to make a security system in my webservice similar to the one that
>reporting services uses it has a logon user and logoff user web method...
>when you log on it logs you into a session and maintains your logged in
>status until you log off or timeout... I dont want to have to pass
>username/pass back and forth each time I call a method... I want to use
>sessions and I need a custom authentication and authorization method for
>our service (its how we defined it to work) how would you go about doing
>this? In reporting services it uses a web service to do it in this order
>
Connect to web service with no IIS authentication
Log into Web service via a public webmethod called LogonUser
Webservice consumer has a cookier container and credentials set to
CrentialCache.DefaultNetworkCredentials
>
user logs on, all web methods now run as that user until user timesout or
calls LogOffUser
>
any ideas on how to do this? its basically like forms authentication just
in a web service and no login form... thanks!
>

wouldnt each client require an X509 cert on their machine though?

"Cowboy (Gregory A. Beamer)" <NoSpamMgbworld@.comcast.netNoSpamMwrote in
message news:A102DB9C-E0E3-4177-8EF8-1CD6C4F6F0C5@.microsoft.com...

Quote:

Originally Posted by

>A better option is to use WSE 3.0 (WS-Security). You can attach an 509
>certificate, which will be more secure, and have less overhead, than
>adding a session to the web service. It is also standards based, which
>allows you to dupe the methodology for systems that have to be contacted
>from Java (example).
>
--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com
>
*********************************************
Think outside the box!
*********************************************
"Smokey Grindle" <nospam@.dontspamme.comwrote in message
news:u0KT49bhHHA.4064@.TK2MSFTNGP03.phx.gbl...

Quote:

Originally Posted by

>>I want to make a security system in my webservice similar to the one that
>>reporting services uses it has a logon user and logoff user web method...
>>when you log on it logs you into a session and maintains your logged in
>>status until you log off or timeout... I dont want to have to pass
>>username/pass back and forth each time I call a method... I want to use
>>sessions and I need a custom authentication and authorization method for
>>our service (its how we defined it to work) how would you go about doing
>>this? In reporting services it uses a web service to do it in this order
>>
>Connect to web service with no IIS authentication
>Log into Web service via a public webmethod called LogonUser
>Webservice consumer has a cookier container and credentials set to
>CrentialCache.DefaultNetworkCredentials
>>
>user logs on, all web methods now run as that user until user timesout or
>calls LogOffUser
>>
>any ideas on how to do this? its basically like forms authentication just
>in a web service and no login form... thanks!
>>

>

Yes, but getting the cert can be part of the sign up procedure for the
application. This can be highly encapsuluated on a SmartClient application.
There are other, less secure, methods in WS-Security.

You can also generate keys for users after they have established a session
and pass that key (initially null) with each subsequent request. This will
require a custom authentication/session framework, but it is doable. I
currently use a key on one set of web services, but it was one that had to
be thrown up quickly, sits behind SSL and I control the clients (which are
other web apps on another domain), so I am not that worried about security.

As a slight alteration, you can send user login info every time and store
the current session completely on the backend. As this requires a user's
login, you will have to use SSL. If you are using a Smart Client and would
like to hide this, you can have them login via a web service and have it
return session token. If you use a custom method, you can keep the "session"
alive on the server side as long as you want. Just make sure it eventually
times out and the app logs it out when they shut it down. Do not trust users
to end session.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com
*********************************************
Think outside the box!
*********************************************
"Smokey Grindle" <nospam@.dontspamme.comwrote in message
news:uxyN%23NdhHHA.4552@.TK2MSFTNGP04.phx.gbl...

Quote:

Originally Posted by

wouldnt each client require an X509 cert on their machine though?
>
"Cowboy (Gregory A. Beamer)" <NoSpamMgbworld@.comcast.netNoSpamMwrote in
message news:A102DB9C-E0E3-4177-8EF8-1CD6C4F6F0C5@.microsoft.com...

Quote:

Originally Posted by

>>A better option is to use WSE 3.0 (WS-Security). You can attach an 509
>>certificate, which will be more secure, and have less overhead, than
>>adding a session to the web service. It is also standards based, which
>>allows you to dupe the methodology for systems that have to be contacted
>>from Java (example).
>>
>--
>Gregory A. Beamer
>MVP; MCP: +I, SE, SD, DBA
>http://gregorybeamer.spaces.live.com
>>
>*********************************************
>Think outside the box!
>*********************************************
>"Smokey Grindle" <nospam@.dontspamme.comwrote in message
>news:u0KT49bhHHA.4064@.TK2MSFTNGP03.phx.gbl...

Quote:

Originally Posted by

>>>I want to make a security system in my webservice similar to the one that
>>>reporting services uses it has a logon user and logoff user web method...
>>>when you log on it logs you into a session and maintains your logged in
>>>status until you log off or timeout... I dont want to have to pass
>>>username/pass back and forth each time I call a method... I want to use
>>>sessions and I need a custom authentication and authorization method for
>>>our service (its how we defined it to work) how would you go about doing
>>>this? In reporting services it uses a web service to do it in this order
>>>
>>Connect to web service with no IIS authentication
>>Log into Web service via a public webmethod called LogonUser
>>Webservice consumer has a cookier container and credentials set to
>>CrentialCache.DefaultNetworkCredentials
>>>
>>user logs on, all web methods now run as that user until user timesout
>>or calls LogOffUser
>>>
>>any ideas on how to do this? its basically like forms authentication
>>just in a web service and no login form... thanks!
>>>

>>

>
>

Web services and security

I want to make a security system in my webservice similar to the one that
reporting services uses it has a logon user and logoff user web method...
when you log on it logs you into a session and maintains your logged in
status until you log off or timeout... I dont want to have to pass
username/pass back and forth each time I call a method... I want to use
sessions and I need a custom authentication and authorization method for our
service (its how we defined it to work) how would you go about doing this?
In reporting services it uses a web service to do it in this order
Connect to web service with no IIS authentication
Log into Web service via a public webmethod called LogonUser
Webservice consumer has a cookier container and credentials set to
CrentialCache.DefaultNetworkCredentials
user logs on, all web methods now run as that user until user timesout or
calls LogOffUser
any ideas on how to do this? its basically like forms authentication just in
a web service and no login form... thanks!A better option is to use WSE 3.0 (WS-Security). You can attach an 509
certificate, which will be more secure, and have less overhead, than adding
a session to the web service. It is also standards based, which allows you
to dupe the methodology for systems that have to be contacted from Java
(example).
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com
****************************************
*****
Think outside the box!
****************************************
*****
"Smokey Grindle" <nospam@.dontspamme.com> wrote in message
news:u0KT49bhHHA.4064@.TK2MSFTNGP03.phx.gbl...
>I want to make a security system in my webservice similar to the one that
>reporting services uses it has a logon user and logoff user web method...
>when you log on it logs you into a session and maintains your logged in
>status until you log off or timeout... I dont want to have to pass
>username/pass back and forth each time I call a method... I want to use
>sessions and I need a custom authentication and authorization method for
>our service (its how we defined it to work) how would you go about doing
>this? In reporting services it uses a web service to do it in this order
> Connect to web service with no IIS authentication
> Log into Web service via a public webmethod called LogonUser
> Webservice consumer has a cookier container and credentials set to
> CrentialCache.DefaultNetworkCredentials
> user logs on, all web methods now run as that user until user timesout or
> calls LogOffUser
> any ideas on how to do this? its basically like forms authentication just
> in a web service and no login form... thanks!
>
wouldnt each client require an X509 cert on their machine though?
"Cowboy (Gregory A. Beamer)" <NoSpamMgbworld@.comcast.netNoSpamM> wrote in
message news:A102DB9C-E0E3-4177-8EF8-1CD6C4F6F0C5@.microsoft.com...
>A better option is to use WSE 3.0 (WS-Security). You can attach an 509
>certificate, which will be more secure, and have less overhead, than
>adding a session to the web service. It is also standards based, which
>allows you to dupe the methodology for systems that have to be contacted
>from Java (example).
> --
> Gregory A. Beamer
> MVP; MCP: +I, SE, SD, DBA
> http://gregorybeamer.spaces.live.com
> ****************************************
*****
> Think outside the box!
> ****************************************
*****
> "Smokey Grindle" <nospam@.dontspamme.com> wrote in message
> news:u0KT49bhHHA.4064@.TK2MSFTNGP03.phx.gbl...
>
Yes, but getting the cert can be part of the sign up procedure for the
application. This can be highly encapsuluated on a SmartClient application.
There are other, less secure, methods in WS-Security.
You can also generate keys for users after they have established a session
and pass that key (initially null) with each subsequent request. This will
require a custom authentication/session framework, but it is doable. I
currently use a key on one set of web services, but it was one that had to
be thrown up quickly, sits behind SSL and I control the clients (which are
other web apps on another domain), so I am not that worried about security.
As a slight alteration, you can send user login info every time and store
the current session completely on the backend. As this requires a user's
login, you will have to use SSL. If you are using a Smart Client and would
like to hide this, you can have them login via a web service and have it
return session token. If you use a custom method, you can keep the "session"
alive on the server side as long as you want. Just make sure it eventually
times out and the app logs it out when they shut it down. Do not trust users
to end session.
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com
****************************************
*****
Think outside the box!
****************************************
*****
"Smokey Grindle" <nospam@.dontspamme.com> wrote in message
news:uxyN%23NdhHHA.4552@.TK2MSFTNGP04.phx.gbl...
> wouldnt each client require an X509 cert on their machine though?
> "Cowboy (Gregory A. Beamer)" <NoSpamMgbworld@.comcast.netNoSpamM> wrote in
> message news:A102DB9C-E0E3-4177-8EF8-1CD6C4F6F0C5@.microsoft.com...
>