views:

1504

answers:

1

If I pass the current users credentials to a webservice by using system.net.credentialcache.defaultcredentials, on which way will the information be transfered? I don't think that it will be clear text, so the credentials have to be encrypted, but how are they?

+1  A: 

It depends on what the server requests in the HEAD response.

For example, if I perform a HEAD request to your web service and one of the http headers in its response is "WWW-Authenticate: NTLM", then the credentials stored in DefaultCredentials would be encrypted using NTLM and then sent up with the full GET/POST/PUT/Whatever. To ensure this happens, you need to make sure that your web server is configured to request NTLM authentication. In IIS, this is a case of selecting "integrated windows authentication". I'm not certain about TomCat, but this post looks pertinent.

However, if your web server replies with "WWW-Authenticate: Basic" for a particular resource (which would involve sending the creds in clear text, encoded (NOTE: not encrypted) as base64), you'll get an ArgumentException as it's considered a security exception to send your account's credentials over basic auth.

Web servers can also be configured to accept multiple authentication methods, but you should always be prepared to accept the weakest of these, so offering basic auth as a "fall-back" means that some of your users may very well be sending their credentials in clear text.

A browser will usually select the strongest method available to it, and I suspect (but don't know for certain) that the .net libraries will behave the same way.

EDIT

As long as your web server only requests NTLM for your web service, you can be certain that any sensible client won't send credentials in clear text. Using the net classes in the .net framework, you can be sure that if you use DefaultCredentials, and don't manually inject a basic auth header yourself, your credentials will be sent encrypted using NTLM.

Their credentials will arrive at the server as a big encrypted mess, to anyone but the web server, who will decrypt them to see that they include the username, password and domain for the currently logged in user.

The credentials DefaultCredentials will send up depend on what type of application requested DefaultCredentails. If it's a client application running under a user's account, the credentials will be that user's. If it's an ASP.NET application that's communicating with your web service, it will use the credentials for the account that the app pool is running under, by default, this is NETWORK_SERVICE.

Matthew Brindley
Hm, ok... the goal is to use windows integrated authentication so that the user does not have to provide credentials. The logon credentials of the user have to be passed to authenticate with the webservice which (its a Tomcat) has to authenticate it with a DC... Will the credentials this way be passed as clear text as well? What arrives at the webservice?
Marcus
Hmm yeah, I see, I've updated my answer to include that info.
Matthew Brindley
Thanks! Im sure this information will help me :)
Marcus