1

I have a .NET MVC web app and I will be exposing a handful of endpoints which should only be hit by certain authorized internal applications. I'd like to achieve this via some form of mutual authentication, so that the web service can verify the caller's identity.

Many solutions I've seen for this seem to rely on IIS-level configuration and thus would seem to apply globally to the web service and not just to specific endpoints.

To make things more complex, all internal requests in our system pass first through an ARR reverse proxy for routing/load balancing. Because ARR provides routing, I'd prefer to keep everything over HTTP to avoid the need for a separate routing mechanism other than ARR to locate machines

How can I configure some form of mutual authentication for such a scenario?

ChaseMedallion
  • 20,860
  • 17
  • 88
  • 152
  • Have you looked at doing something like RSA keys and giving the private to the host-endpoint and the public to the accessing applications? – Richard Oct 15 '15 at 13:27
  • If your not using HTTPS it will be very simple to spoof the authentication using a simple man in the middle attack – Liam Oct 15 '15 at 13:29
  • @Liam we do use HTTPS to encrypt all traffic, but there is currently no client validation. My understanding is that ARR will make this complicated. – ChaseMedallion Oct 15 '15 at 14:09
  • @Richard I'm aware of various cryptographic techniques that might solve this. However, I'm hoping for something a "standard" as possible so that I don't have to worry about getting the security code right myself. – ChaseMedallion Oct 15 '15 at 14:10

1 Answers1

1

If the caller is also a windows .NET app in the same windows domain, i would expose the endpoints over WCF and not an MVC app.

Then configure the WCF endpoints to use windows authentication, and use WCF`s support for role based authorization. (attribute based for simple cases) There's documentation for how to achieve this here.

Menahem
  • 3,974
  • 1
  • 28
  • 43