how to authenicate clients using certificates in an ASP.NET web service

Question

I need to know how the a .net web service authenticates a request from a client that is using a certificate. I know that the client will have to attach their certificate to the service proxy before they make a request, but I dont know how to check that the correct computer is contacting us.

This needs to be implemented in a shared hosting environment using .Net framework 2.0. Please advise if this is possible or if web should use another authentication method such as Basic Authentication over SSL

Let me know if you need more information.

Thanks

Answer 1

The web service doesn't do the authentication - IIS does. Look on the "Security" tab of the site or application properties. At the bottom, there's an "Edit" button. The bottom of the dialog that appears allows you to enable client certificate mapping, and to specify how to map client certificates to Windows users.

The web service will simply see the clients as authenticated Windows users (which is what they are).

Answer 2

See Using Web Services Enhancements (WSE) for X.509 Certificate Authentication and Digital Signature. I'd recommend WCF on .NET 3.5 if possible though.

Answer 3

If your clients have certificates, using the basic authentication over SSL is the standard way of doing it.