Export (0) Print
Expand All

Problem/Solution Index

 
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Problem/Solution Index

patterns & practices Developer Center

Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0

Microsoft Corporation

patterns & practices Developer Center
Web Service Security: Home
December 2005

DownloadDownload this guide in PDF format
CommunityWeb Service Security Community Workspace [Content link no longer available, original URL:http://go.microsoft.com/fwlink/?LinkId=57044]

Contents

Overview
General
Authentication and Authorization
Kerberos Protocol and Windows Server 2003
X.509 Certificates
Message Protection: Data Confidentiality, Integrity and Data Origin Authentication
Resource Access
Windows Server 2003 Protocol Transition and Constrained Delegation
Exception Shielding
Message Validation
Message Replay Detection
Secure Conversation
Service Router
More Information

Overview

During the research phase for the Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0 guide, the Microsoft patterns & practices team spent many hours communicating with customers, and collecting information from Microsoft Support Services, blogs, and other sources. This information helped the team gain a thorough understanding of the types of security challenges customers encountered when designing and implementing Web services using WSE 2.0.

The Problem/Solution Index provides an alternative way to navigate the content in this guide that is based on frequently asked questions from customers. The index presents customer questions, and then directs you to the appropriate section of the guide to help you answer those questions. The index is not comprehensive, but it does provide an alternative way to approach specific challenges. The index is divided into several broad categories to correspond to the areas where customers most frequently encounter problems.

The patterns & practices team hopes to expand the Problem/Solution Index as more questions related to the Web Service Security guide content emerge. You can submit additional questions to Web Service Security community workspace [Content link no longer available, original URL:http://go.microsoft.com/fwlink/?LinkId=57044] or add new problem/solution links to the Web Service Security Wiki.

General

For answers to general questions about WSE 3.0, see the resources in Table 1.

Table 1. General Questions

ProblemSolution
What is the difference between message and transport layer security?See the Introduction in Chapter 3, "Implementing Transport and Message Layer Security."
How do I decide between message and transport layer security?See the Introduction in Chapter 3, "Implementing Transport and Message Layer Security."
What interoperability considerations should I be aware of for WSE 3.0?See WSE 3.0 Security: Interoperability Considerations in the "Appendix."

Authentication and Authorization

For answers to authentication and authorization questions, see the resources in Table 2.

Table 2. Authentication and Authorization Questions

ProblemSolution
How do I determine how to authenticate a client application? See the Introduction in Chapter 1, "Authentication Patterns."
How do identification, authentication and authorization relate?See the Introduction in Chapter 1, "Authentication Patterns."
How do I decide between Kerberos, X.509 or an STS based authentication broker? See the Introduction in Chapter 1, "Authentication Patterns."
How can I obtain single sign on (SSO) within my intranet?See the Introduction in Chapter 1, "Authentication Patterns."
How do I implement session-based authentication so that users are not required to provide their passwords whenever the application they are using calls a Web service?See the Introduction in Chapter 1, "Authentication Patterns."
How can I use an existing Active Directory infrastructure for authentication?See the Introduction in Chapter 1, "Authentication Patterns."
How do I provide authentication that is portable across organizational boundaries?See the Introduction in Chapter 1, "Authentication Patterns."
How do I authenticate when interoperability is a challenge?See the Introduction in Chapter 1, "Authentication Patterns."
How do I avoid using clear text passwords?See the Introduction in Chapter 1, "Authentication Patterns."
How do I authenticate with UsernameTokens and secure the communication with X.509 certificates?See Implementing Direct Authentication with UsernameToken in WSE 3.0 in Chapter 3, "Implementing Transport and Message Layer Security."
How do I to authenticate against a directory service such as Active Directory or Active Directory Application Mode (ADAM) using a user ID and password?See Implementing Direct Authentication with UsernameToken in WSE 3.0 in Chapter 3, "Implementing Transport and Message Layer Security."
How do I authenticate against a custom SQL Server database, using a security token that contains a user ID and password?See Implementing Direct Authentication with UsernameToken in WSE 3.0 in Chapter 3, "Implementing Transport and Message Layer Security."
How do I develop a custom UsernameTokenManager to support authentication against ADAM or a custom SQL Server database?See Implementing Direct Authentication with UsernameToken in WSE 3.0 in Chapter 3, "Implementing Transport and Message Layer Security."
How do I make use of Visual Studio 2005 authentication services for SQL Server and a directory service?See Implementing Direct Authentication with UsernameToken in WSE 3.0 in Chapter 3, "Implementing Transport and Message Layer Security."
How do I implement mutual authentication using X.509 certificates?See Implementing Direct Authentication with UsernameToken in WSE 3.0 in Chapter 3, "Implementing Transport and Message Layer Security."

Kerberos Protocol and Windows Server 2003

For answers to questions about the Kerberos protocol and Windows Server 2003 in WSE 3.0, see the resources in Table 3.

Table 3. Kerberos Protocol and Windows Server 2003 Questions

ProblemSolution
How do I use an existing Kerberos protocol infrastructure at the message layer with a KerberosToken binary security token?See Implementing Message Layer Security with Kerberos in WSE 3.0 in Chapter 3, "Implementing Transport and Message Layer Security."
How do I provide data confidentiality and data integrity to secure the communication channel by encrypting and signing the message with the KerberosToken?See Implementing Message Layer Security with Kerberos in WSE 3.0 in Chapter 3, "Implementing Transport and Message Layer Security."
How do I impersonate the client represented by the KerberosToken to access a resource on its behalf?See Implementing Message Layer Security with Kerberos in WSE 3.0 in Chapter 3, "Implementing Transport and Message Layer Security."
Is the Windows implementation of the Kerberos protocol compatible with other implementations?See theKerberos Technical Supplement for Windows in Chapter 7, "Technical Supplements."
How do I configure Active Directory for secure Web services using the Kerberos protocol in an implementation deployed in a Web farm?See the Kerberos Technical Supplement for Windows in Chapter 7, "Technical Supplements."
How do I troubleshoot issues related to using the Kerberos protocol with Web services?See the Kerberos Technical Supplement for Windows in Chapter 7, "Technical Supplements."

X.509 Certificates

For answers to questions about X.509 certificates in WSE 3.0, see the resources in Table 4.

Table 4. X.509 Certificate Questions

ProblemSolution
How do I create X.509 certificates?See Brokered Authentication: X.509 PKI in Chapter 1, "Authentication Patterns," and the X.509 Technical Supplement in Chapter 7, "Technical Supplements."
How do I use X.509 certificate revocation?See Brokered Authentication: X.509 PKI in Chapter 1, "Authentication Patterns," and the X.509 Technical Supplement in Chapter 7, "Technical Supplements."
How do I authenticate users with X.509 certificates, and then perform role-based access control using an Active Directory domain?See the Protocol Transition with Constrained Delegation Technical Supplement in Chapter 4, "Resource Access Patterns."
How do I implement a custom WSE 3.0 X.509 SecurityTokenManager to allow additional data, such as roles to be associated with a user's certificate?See Implementing Message Layer Security with X.509 Certificates in WSE 3.0 in Chapter 3, "Implementing Transport and Message Layer Security."

Message Protection: Data Confidentiality, Integrity and Data Origin Authentication

For answers to questions about message protection in WSE 3.0, see the resources in Table 5.

Table 5. Message Protection Questions

ProblemSolution
How do I protect against eavesdropping or unauthorized access to data within a message?See the Introduction in Chapter 2, "Message Protection Patterns."
How do I encrypt data within my message?See the Introduction in Chapter 2, "Message Protection Patterns."
How do I protect against data tampering within a message?See the Introduction in Chapter 2, "Message Protection Patterns."
How do I provide assurance to a message recipient that a message was sent by the expected sender?See the Introduction in Chapter 2, "Message Protection Patterns."
How do I provide assurance to a message recipient that a message has not been altered after it was sent?See the Introduction in Chapter 2, "Message Protection Patterns."
What is the difference between an XML signature and a digital signature?See Data Origin Authentication in Chapter 2, "Message Protection Patterns."

Resource Access

For answers to questions about resource access in WSE 3.0, see the resources in Table 6.

Table 6. Resource Access Questions

ProblemSolution
What is the difference between impersonation and delegation?See the Introduction in Chapter 4, "Resource Access Patterns."
How do I decide whether to use impersonation and delegation or the Trusted Subsystem model to secure access to resources?See the Introduction in Chapter 4, "Resource Access Patterns."
How do I control access to a remote resource based on a user's identity instead of the identity of the application that is accessing the resource for the user?See the Protocol Transition with Constrained Delegation Technical Supplement in Chapter 4, "Resource Access Patterns."
How do I implement protocol transition on a computer running Windows Server 2003?See the Protocol Transition with Constrained Delegation Technical Supplement in Chapter 4, "Resource Access Patterns."
How do I implement impersonation?See Implementing Message Layer Security with Kerberos in WSE 3.0 and Implementing Brokered Authentication Using Windows Integrated Security on IIS in the References for Transport Layer Security section in Chapter 3, "Implementing Transport and Message Layer Security."

Windows Server 2003 Protocol Transition and Constrained Delegation

For answers to questions about Windows Server 2003 Protocol Transition and Constrained Delegation in WSE 3.0, see the resources in Table 7.

Table 7. Windows Server 2003 Protocol Transition and Constrained Delegation Questions

ProblemSolution
How do I authenticate users with one protocol, and then authorize them to access resources using another protocol?See the Protocol Transition with Constrained Delegation Technical Supplement in Chapter 4, "Resource Access Patterns."
How do I use forms authentication on a presentation tier Web application, and then control access to back-end resources using Active Directory?See the Protocol Transition with Constrained Delegation Technical Supplement in Chapter 4, "Resource Access Patterns."
How do I authenticate users with X.509 certificates, and then perform role-based access control using an Active Directory domain?See the Protocol Transition with Constrained Delegation Technical Supplement in Chapter 4, "Resource Access Patterns."
How do I use protocol transition to initialize a WindowsIdentity object for authorization checks?See the Protocol Transition with Constrained Delegation Technical Supplement in Chapter 4, "Resource Access Patterns."
How do I use protocol transition to initialize a WindowsIdentity object for impersonation?See the Protocol Transition with Constrained Delegation Technical Supplement in Chapter 4, "Resource Access Patterns."
How do I use constrained delegation to access remote resources?See the Protocol Transition with Constrained Delegation Technical Supplement in Chapter 4, "Resource Access Patterns."
How do I create a service principal name (SPN)?See the Protocol Transition with Constrained Delegation Technical Supplement in Chapter 4, "Resource Access Patterns."

Exception Shielding

For answers to questions about exception shielding in WSE 3.0, see the resources in Table 8.

Table 8. Exception Shielding Questions

ProblemSolution
How do I prevent my application from unintentionally disclosing sensitive information about itself through unhandled exceptions?See Exception Shielding and Implementing Exception Shielding in Chapter 5, "Service Boundary Protection Patterns."
How do I prevent the service from disclosing sensitive information in exception messages?See Implementing Exception Shielding in Chapter 5, "Service Boundary Protection Patterns."
How do I create exceptions that are safe by design containing information that I can return to Web service clients?See Implementing Exception Shielding in Chapter 5, "Service Boundary Protection Patterns."
How do I write unsanitized exception details to a log to support monitoring and troubleshooting?See Implementing Exception Shielding in Chapter 5, "Service Boundary Protection Patterns."

Message Validation

For answers to questions about message validation in WSE 3.0, see the resources in Table 9.

Table 9. Message Validation Questions

ProblemSolution
How do I prevent a Web service from processing a message that contains malicious content?See Message Validator and Implementing Message Validation in WSE 3.0 sections in Chapter 5, "Service Boundary Protection Patterns."
How do I reduce an attacker's ability to bring down my Web service with junk messages?See Message Validator and Implementing Message Validation in WSE 3.0 sections in Chapter 5, "Service Boundary Protection Patterns."
How do I prevent the service from processing request messages that are greater in size than a specified limit?See Implementing Message Validation in WSE 3.0 in Chapter 5, "Service Boundary Protection Patterns."
How do I prevent the service from processing messages that are not formed correctly or that do not conform to an expected XML schema?See Implementing Message Validation in WSE 3.0 in Chapter 5, "Service Boundary Protection Patterns."
How do I validate input messages before deserializing them into .NET Framework data types so that they can be interpreted as regular expressions?See Implementing Message Validation in WSE 3.0 in Chapter 5, "Service Boundary Protection Patterns."
How do I create a custom assertion on WSE 3.0?See Implementing Message Validation in WSE 3.0 in Chapter 5, "Service Boundary Protection Patterns."
What ASP.NET and WSE 3.0 configuration settings exist to limit usage of resources such as CPU?See Implementing Message Validation in WSE 3.0 in Chapter 5, "Service Boundary Protection Patterns."

Message Replay Detection

For answers to questions about message replay detection in WSE 3.0, see the resources in Table 10.

Table 10. Message Replay Detection Questions

ProblemSolution
How do I protect a Web service from an attacker replaying intercepted messages?See Message Replay Detection in Chapter 5, "Service Boundary Protection Patterns."
How do I prevent the service from accepting and processing messages that have expired, after allowing for variable clock skew?See Message Replay Detection in Chapter 5, "Service Boundary Protection Patterns."
How do I prevent the service from accepting and processing messages that have been replayed by attackers?See Message Replay Detection in Chapter 5, "Service Boundary Protection Patterns."
How do I support preventing against replay attacks for Web services deployed in a web farm through the use of a database backed replay cache?See Message Replay Detection in Chapter 5, "Service Boundary Protection Patterns."
How do I implement message replay detection using a WSE 3.0 custom assertion?See Implementing Message Replay Detection in WSE 3.0 in Chapter 5, "Service Boundary Protection Patterns."

Secure Conversation

For answers to questions about secure conversation in WSE 3.0, see the resources in Table 11.

Table 11. Secure Conversation Questions

ProblemSolution
How do I optimize secure communications between two parties?See "Extension 2-Web Service Federation" in Brokered Authentication: Security Token Service (STS) in Chapter 1, "Authentication Patterns."

Service Router

For answers to questions about the service router in WSE 3.0, see the resources in Table 12.

Table 12. Service Router Questions

ProblemSolution
How do I make internal Web services available to external clients?See Perimeter Service Router in Chapter 6, "Service Deployment Patterns."
How do I route SOAP messages to an alternate service when my primary service is down for maintenance?See Perimeter Service Router in Chapter 6, "Service Deployment Patterns."
How do I create a policy enforcer that performs security functions before a message reaches my Web service?See Perimeter Service Router in Chapter 6, "Service Deployment Patterns."
How do I minimize exposure of my Web services while providing access to them through controlled points?See Perimeter Service Router in Chapter 6, "Service Deployment Patterns."
How do I route SOAP messages based on their content?See Perimeter Service Router in Chapter 6, "Service Deployment Patterns."
How do I configure and use the SoapHttpRouter class in WSE 3.0?See Implementing a Perimeter Service Router in WSE 3.0 in Chapter 6, "Service Deployment Patterns."

More Information

To submit additional questions related to this guidance, see the community workspace "Web Service Security: Scenarios, Patterns, and Implementation Guidance [Content link no longer available, original URL:http://go.microsoft.com/fwlink/?LinkId=57044]".

To add new problem/solution links related to this guidance, see the "Web Service Security Wiki".

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Show:
© 2014 Microsoft