Hi Morten,

We've been working at reconciling how/when to leverage both security types
as well. Obviously, IIS Authentication works at the HTTP transport level
while WS-Security works strictly within SOAP. If you know your callers can
satisfy the IIS authentication challange/response sequence at all times ,
then use it. You can still use WS-Security to sign and/or encrypt messages
(or use SSL).

If you attempt to use both concurrently, the transport level authentication
will try and determine who the caller is before the SOAP stack receives the
payload. If the authentication fails, IIS summarily returns an error 401 and
you can't use WS-Security as an alternative mechanism. BTW, we briefly tried
working out a way to implement a fallback to WS-Security as an ISAPI filter,
but ended up realizing there was little gain.

But you might combine IIS and WS-Security authentication if calls were
coming from some other application (like the back-end of a web site) running
under a trusted (and secure) domain account. The WS-Security block might
contain a UsernameToken indicating the end-user's actual identity. In this
case, your web services are *trusting* that the calling application has
authenticated the end-user satisfactorily.

Digest or Windows-Integrated authentication do not work unless both sender
and receiver are concurrenty logged into the same domain (or Active
Directory). The sender also has to understand how to handle the
challenge/response sequence, which almost always requires a Microsoft HTTP
stack (IE, MSXML, .NET). It won't work from outside the firewall, through
proxy servers, or through other kinds of intermediaries without tons of work.


As a product company, we have customers who use lots of different
infrastructure components to handle web traffic. WS-Security lets us not
worry about (read:"support") how their setups may impede IIS authentication.
But if there are no infrastructure issues and you have Windows HTTP stacks at
both ends, it's nice to leverage Windows Integrated Security for Single
Sign-on by interactive apps.

Sorry for the excessive length, but it's an interesting topic.

- Erik

Hi Morten,

We've been working at reconciling how/when to leverage both security types
as well. Obviously, IIS Authentication works at the HTTP transport level
while WS-Security works strictly within SOAP. If you know your callers can
satisfy the IIS authentication challange/response sequence at all times ,
then use it. You can still use WS-Security to sign and/or encrypt messages
(or use SSL).

If you attempt to use both concurrently, the transport level authentication
will try and determine who the caller is before the SOAP stack receives the
payload. If the authentication fails, IIS summarily returns an error 401 and
you can't use WS-Security as an alternative mechanism. BTW, we briefly tried
working out a way to implement a fallback to WS-Security as an ISAPI filter,
but ended up realizing there was little gain.

But you might combine IIS and WS-Security authentication if calls were
coming from some other application (like the back-end of a web site) running
under a trusted (and secure) domain account. The WS-Security block might
contain a UsernameToken indicating the end-user's actual identity. In this
case, your web services are *trusting* that the calling application has
authenticated the end-user satisfactorily.

Digest or Windows-Integrated authentication do not work unless both sender
and receiver are concurrenty logged into the same domain (or Active
Directory). The sender also has to understand how to handle the
challenge/response sequence, which almost always requires a Microsoft HTTP
stack (IE, MSXML, .NET). It won't work from outside the firewall, through
proxy servers, or through other kinds of intermediaries without tons of work.


As a product company, we have customers who use lots of different
infrastructure components to handle web traffic. WS-Security lets us not
worry about (read:"support") how their setups may impede IIS authentication.
But if there are no infrastructure issues and you have Windows HTTP stacks at
both ends, it's nice to leverage Windows Integrated Security for Single
Sign-on by interactive apps.

Sorry for the excessive length, but it's an interesting topic.

- Erik