| Authentication option | Description |
| Windows - Basic | Use for nonsecure identification of clients, as the user name and password are sent in base 64-encoded strings in plain text. Passwords and user names are encoded, but not encrypted, in this type of authentication. A determined, malicious user equipped with a network-monitoring tool can intercept user names and passwords. |
| Windows - Basic over SSL | Use for secure identification of clients in Internet scenarios. The user name and password are sent over the network using Secure Sockets Layer (SSL) encryption, rather than plain text. This is relatively easy to configure and works for Internet scenarios. However, using SSL degrades performance. |
| Windows - Digest | Use for secure identification of clients in Internet scenarios. Uses hashing to transmit client credentials in an encrypted manner so the password is not transmitted in clear text. In addition, Digest authentication can work through proxy servers. However, it is not widely supported on other platforms. |
| Windows - Integrated Windows | Uses NTLM or Kerberos. Uses a cryptographic exchange with the user's Microsoft Internet Explorer Web browser. |
| Windows - Client Certificates | Use for secure identification of clients in Internet and intranet scenarios. Requires each client to obtain a certificate from a mutually trusted certificate authority. Certificates are optionally mapped to user accounts, which are used by IIS for authorizing access to the Web service. |
| Forms | Not supported by Web services. This is a system by which unauthenticated requests are redirected to an HTML form using HTTP client-side redirection. Most clients of Web services will not want to provide credentials using a UI; you must work around this if you want to use forms authentication. |
| SOAP headers – Custom | Useful for both secure and nonsecure Internet scenarios. User credentials are passed within the SOAP header of the SOAP message. The Web server, regardless of the platform hosting the Web service, provides a custom authentication implementation. |
Monday, December 10, 2007
Summary of Authentication Options
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment