"Achieve B2B Security" by Steve Samarov
Visual Studio Magazine, May 2002


The sample application for this article demonstrates a technique that 
enables
mutual authentication with digital certificates when making remote calls in 
.Net.
Use file TalkSvr.sln to open the Visual Studio solution containing two 
projects:
the client Windows application, and the server class library, located in
subdirectories Client and Server respectively. When the solution is built it
produces two files: the server assembly, TalkSvr.dll, and the client 
application
TalkCli.exe.


The Server Class, TalkSvr
-------------------------

TalkSvr, the server-side class, has an interface that consists of two 
operations:

public void Write(string text) takes the callers text message and appends 
it to
private member variable mText. This operation is called by the client when 
the user
submits a new message. The implementation is simplified for demonstration 
purposes,
a real-world design would in some way manage this accumulation of text.

public string GetUpdate(ushort index) takes a position in the mText string 
as
argument, and returns a substring starting at this position; clients use 
this
operation to poll for new messages.

TalkSvr is a subtype of ContextBoundObject, which makes it a remotable class 
that
can be called over the Internet. Its private state consists of a 
StringBuilder
instance where all messages are concatenated as conversation goes on. To 
ensure
synchronization we use ContextBoundObject as the super type, and declare 
attribute
System.Runtime.Remoting.Contexts.SynchronizationAttribute.
See Listing 1 for the TalkSvr definition. The server assembly, TalkSvr.dll, 
is hosted
in IIS according to the rules described in the .Net Framework documentation. 
We use
activation mode Singleton to let all clients share the same instance.
Here is the web.config file:

<configuration>
  <system.runtime.remoting>
    <application>

      <service>
        <wellknown mode="Singleton"
         type="Talk.TalkSvr, TalkSvr"
         objectUri="TalkSvr.soap" />
      </service>

    </application>
  </system.runtime.remoting>

  <system.web>
    <authentication mode="Windows" />
    <identity impersonate="true" />
  </system.web>
</configuration>

Using Internet Services Manager snap-in create a virtual directory Talk, and 
place a
copy of web.config there. Create subdirectory bin, and copy TalkSvr.dll into 
this
subdirectory. Obtain a digital certificate for the server as described in 
the article,
and configure SSL with client certificates.


The Client Application, TalkCli
-------------------------------

On the client side the Windows form class contains two text boxes. The 
bottom one is for
specifying the URL for connecting to the server and entering messages. The 
other text box
is for displaying all messages accumulated by the server. Three buttons, 
Connect, Send
and Close are used to connect to the server, send messages, and close the 
client,
respectively. The form also contains a timer control, which triggers a 
TalkSvr.GetUpdate
call every second. The client communicates with the server via a proxy 
object of type
TalkSvrService. It is a subtype of SoapHttpClientProtocol, which provides a 
property for
adding client certificates. Obtain a client certificate as described in the 
article and
export it into a DER encoded file. The client will prompt you to select a 
certificate
file that will be submitted to the server.

To complete the setup enable client certificate mapping on the server. The 
server
impersonates the callers Windows principal while processing the request. 
This feature can
be used to apply access control and role-based security mechanisms. To 
demonstrate that
the correct security context is available during request processing the 
server inserts the
value of WindowsIdentity.GetCurrent().Name before each message.



