wse vs "windows integrated" -- dotnet web services enhancements

yonido NO[at]SPAM gmail.com
2/19/2006 4:55:48 AM

hello,

i would like to implement a secure web service based on the active
directory, without using HTTPS / SSL, using the Kerberos mechanism.

As documentation mentions - Checking "Windows Integrated" & attaching
CredentialCache.DefaultCredentails to the web service will suffice
(will use the kerberos mechanism).

On the other hand, lots of articles mentions that i must use WSE2.0 and
MANUALLY add the token.
examples:
- http://www.codeproject.com/cs/webservices/SecurityTokens.asp
- http://www.15seconds.com/issue/040602.htm

is "Windows Integrated" enough?

thanks.

Pablo Cibraro
2/20/2006 10:36:44 AM

Hi,
They are two different things. WSE provides security at message level, that
is message integrity (The message is signed to avoid that someone changes
the message), confidentiality (The message is encrypted) and authentication.
Windows Integrity is a mechanism to authenticate the user at transport
level. It doesn't provide any message protection unless you use SSL.

I recommend you to take a look at the web services security guidance for
more information
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wssp.asp

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

[quoted text, click to view]

dotnet web services enhancements : wse vs "windows integrated"