Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
DotNet
acad.assignment.mngr
academic
adonet
aspnet
aspnet.announcements
aspnet.build.controls
aspnet.caching
aspnet.datagridcontrol
aspnet.mobile
aspnet.security
aspnet.webcontrols
aspnet.webservices
clr
compactframework
component_services
datatools
distributed_apps
drawing
faqs
framework
framework.wmi
general
internationalization
interop
languages.csharp
languages.jscript
languages.vb
languages.vb.controls
languages.vb.data
languages.vb.upgrade
languages.vc
languages.vc.libraries
myservices
odbcnet
performance
remoting
scripting
sdk
security
setup
vjsharp
vsa
webservi.enhancements
webservices
windowsforms
windowsforms.controls
winforms.databinding
winforms.designtime
xml
  
 
date: Wed, 2 Apr 2008 17:23:35 +0200,    group: microsoft.public.dotnet.security        back       


Secure Network Credentials    
Hi,

I have a .NET Windows application where I over time needs to call a 
Reporting Services web-service. I order for the web-service to authenticate 
correctly, it needs to be provided with the correct network credentials (the 
user logged in to my application). Also the Microsoft Report Viewer for 
Reporting Services needs the network credentials for displaying the reports. 
So basically I need the network credentials at different times. The code for 
calling the web-service looks like this:

ReportWS.ReportingService rs = new ReportWS.ReportingService();
rs.Credentials = new NetworkCredential("user", "password", "Domain");

At the moment I don't store the credentials I my application, I only use 
them when logging in to my application. How can store the credentials 
securely I my application and get the when I need them? I cannot store the 
NetworkCredential object because username and password are not encrypted in 
any way.

I have come up with a solution where I store the password in a secure string 
at  login time and then when I need the credentials unpack the secure string 
like this:

IntPtr ustr = Marshal.SecureStringToGlobalAllocUnicode(password);
try
{
   string clearTextPwd = Marshal.PtrToStringUni(ustr);
   ReportWS.ReportingService rs = new ReportWS.ReportingService();
   rs.Credentials = new NetworkCredential("user", clearTextPwd, "Domain");
}
finally
{
   Marshal.ZeroFreeGlobalAllocUnicode(ustr);
}

I know this isn't a 100% secure solution because at some point the password 
is in memory as clear text, so my question is: Is there a better way to do 
this? What would be the best way to store and supply the credentials in my 
application?

Cheers
Henrik
date: Wed, 2 Apr 2008 17:23:35 +0200   author:   Henrik Skak Pedersen am

Re: Secure Network Credentials    
Hello,

NetworkCredential encrypts the password internally. But you are of course 
right - the password is there somewhere in memory unencrypted.

A more secure solution would be to use integrated authentication when 
possible.


Otherwise your solution should be ok, IMHO.

Kind regards,
Henning Krause


"Henrik Skak Pedersen" <skak@community.nospam> wrote in message 
news:uWYtGWNlIHA.6092@TK2MSFTNGP06.phx.gbl...
> Hi,
>
> I have a .NET Windows application where I over time needs to call a 
> Reporting Services web-service. I order for the web-service to 
> authenticate correctly, it needs to be provided with the correct network 
> credentials (the user logged in to my application). Also the Microsoft 
> Report Viewer for Reporting Services needs the network credentials for 
> displaying the reports. So basically I need the network credentials at 
> different times. The code for calling the web-service looks like this:
>
> ReportWS.ReportingService rs = new ReportWS.ReportingService();
> rs.Credentials = new NetworkCredential("user", "password", "Domain");
>
> At the moment I don't store the credentials I my application, I only use 
> them when logging in to my application. How can store the credentials 
> securely I my application and get the when I need them? I cannot store the 
> NetworkCredential object because username and password are not encrypted 
> in any way.
>
> I have come up with a solution where I store the password in a secure 
> string at  login time and then when I need the credentials unpack the 
> secure string like this:
>
> IntPtr ustr = Marshal.SecureStringToGlobalAllocUnicode(password);
> try
> {
>   string clearTextPwd = Marshal.PtrToStringUni(ustr);
>   ReportWS.ReportingService rs = new ReportWS.ReportingService();
>   rs.Credentials = new NetworkCredential("user", clearTextPwd, "Domain");
> }
> finally
> {
>   Marshal.ZeroFreeGlobalAllocUnicode(ustr);
> }
>
> I know this isn't a 100% secure solution because at some point the 
> password is in memory as clear text, so my question is: Is there a better 
> way to do this? What would be the best way to store and supply the 
> credentials in my application?
>
> Cheers
> Henrik
date: Wed, 2 Apr 2008 21:20:36 +0200   author:   Henning Krause [MVP - Exchange]

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us