Clarity, Technology, and Solving Problems | PracticeThis.com
WP7 App with Key Windows Azure resources – Slides, Videos, How-To’s, and T-shooting – for quick consumption on the go.
I just finished building another security workshop that covers authentication and identity technologies implemented by MS products. The workshop is targeted to developers and not IT folks. It is common practice (or should I call it anti-practice) that development projects re-invent the wheel and build again and again custom authentication or identity flow mechanisms which are surest recipe for disaster from security perspective. There is plenty of reasons why and one of them is that development teams do not have solid understanding of what MS technologies offer out-of-the-box with regards to authentication.
I have divided the workshop into four major parts:
I call it educational workshop influenced by what I was discussing in Security Workshops. This workshop explains what MS offers and when to use. It does not train the participants how to use it in depth assuming after completing the workshop participants will be able to deepen their knowledge after picking proper technology.
reposted from here
I've previously blogged about SOA Security Inside Enterprise walls
This time I had couple of pretty interesting requirements from one customer that targeted B2B/Partners scenario. They had a web site that communicates to partner's web services. His concerns were sincere and pretty fair:
Without any hesitation I've gone to the following topic -
How To: Call a Web Service Using Client Certificates from ASP.NET 1.1
and implemented step by step what was described. In the code you see that one needs to export client certs. Customer's concern was about how safe the cert is, no worries - it is getting exported without private keys:
Last thing what I needed to do is Web Service authorization, so what I've done is I mapped the client cert to windows account on the web service machine like this:
Then in the web service code I've applied standard Role demands (well specifically here I demand specific user, but it could be group too like "...Demand, Role =@"myServer\Group8"")
And when the app was calling the web service method it was picking the client cert and sending it over to the web service which in turn was mapping it to windows account and the principal permission was applied to this account. When I was calling HelloWorld1() everything was fine since it was protected by user demand to which the cert is mapped to, on other hand HelloWorld2() was rejected since the cert I was sending is NOT mapped to that user. Man, these are those rare moments that I am happy to see exceptions :)
Using minimal of coding (client side - couple of lines, server side - one line for each method) and standard configurations of the infrastructure I've achieved:
Now tell me why it is not COOL :)
To quickly set lab environment I use VPC 2007 (free download). It really saves me lots of time. For example, in order to set up environment to test impersonation, delegation, and protocol transition as described in Authentication Hub post I needed one machine for Active Directory domain (Windows Server 2003), one machine for development desktop (Windows XP), two machines as web servers (Windows Server 2003), I also set another Windows Server 2003 as Certificate Authority to issue certificates which I used in SOA, Strong Authentication, Standard Authorization - Cool Solution.
Here are the steps I have taken:
Now I have, Active Directory domain with two machine and similar procedure is needed to add more machines.
One thing that made me work hard while troubleshooting networking between the virtual machines is to make sure that VM’s have different MAC addresses.
Inside every machine run ipconfig /all and make sure Physical Address value is different for each machine:
If it is the same – change it opening VMC file which is simple XML file and change the value of <ethernet_card_address type="bytes">0003FF44337E</ethernet_card_address>. Your value may be other than 0003FF44337E.
After doing this I was able to set my environment and make my machines talk to each other.
Be aware of licensing and supportability issues described in NewSID v4.10 regarding copying images while utilizing NewSID.