httpwebrequest when RSA/ACE securid server is involved

F

Feroze [msft]

I am not familiar with RSA/ACE authentication. But, I can tell you why your
current app wont work. IE & HTTPWebRequest have their own connection
management semantics. They do not share connections. So, once you get
authenticated with IE, that connection is not available to the
HttpWebRequest instance you are using.

You will have to replicate the same authentication into the HttpWebRequest
that IE is doing. Is it doing SSL based authentication? If so, you might be
able to get that to work using webrequest. However just setting
DefaultCredentials wont work.
 
S

shib

Hello,

I have an assembly, written in C#.

The assembly runs under IE (6.0 SP1).

IE accesses a web site on which a reverse proxy with an RSA/ACE secureid is
installed.

When this happens an authentication process takes place and after its
completion, the web request goes through and completes successfuly.

Naturally, any further http requests to the same site will not have to
re-authenticat.
However, my C# assembly runs under IE and tries to invoke an http request
via the standard httpwebrequest class.
I am setting

HttpWebRequest.Credentials = CredentialCache.DefaultCredentials

still, it does not help.

Any idea what I am missing here?

Thanks,
Ilan
 
S

shib

Thanks Feroze for the reply.

My first thought was the same - the C# http request will have to
re-authenticate because it's a different connection. However I wrote the
same thing in Java and...it works just fine. It seems there is something the
JVM puts on the request, which is missing from the C# request.
 
F

Feroze [msft]

Can you post a snippet of the java based code?

What is this ACE/RSA authentication? Is it the same as SSL/TLS?

--
feroze

-----------------
This posting is provided as-is. It offers no warranties and assigns no
rights.

See http://weblogs.asp.net/feroze_daud for System.Net related posts.
 
V

vin

Feroze said:
What is this ACE/RSA authentication? Is it the same as SSL/TLS?

Nope, not the same as SSL/TLS -- although RSA Security
<www.rsasecurity.com>, the corporation that sells ACE/SecurID
authentication systems, is the same company which invented most of the
cryptographic ciphers used in SSL, and developed and standardized the
PKCS protocols used to design the SSL/TLS public key crypto
interaction. I've been a consultant to RSA for many years.

ACE is the client/server protocol used by RSA Security
<www.rsasecurity.com> to support its popular SecurID tokens. The RSA
SecurID is an AES-based two-factor personal authentication token.
Using RSA's patented time-synch technology, a SecurID token
continuously generates and displays a series of 6-8 digit (or
alphanumeric) token codes which roll over every 60 seconds. As I'm sure
you know, the two-factor security paradigm requires the use of both a
SecurID token-code and a user-memorized PIN or password to validate an
user's authentication call.)

You might find it useful to check out RSA's One Time Password
Specifications (OTPS), a series of detailed standards-like papers on
how any OTP can be most effectively and securely implemented in a
variety of application environments (including web servers.) See:
<http://www.rsasecurity.com/rsalabs/node.asp?id=2816>

RSA only recently published the first series of OTP Specs -- which may
be enough for your needs, shib -- but RSA Labs, the company's research
group, is working with a number of other vendors and developers' groups
to extend the specifications.

Suerte,
_Vin
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top