0

We have 2 public facing internet servers in our company. (serverA.mycompany.com & serverB.myCompany.com)

We are hosting an asp.net web service(.asmx) in one of those servers, which is exposed to internet. We need to make an authentication/authorization(without using passwords/windows auth) and allow only the requests which come from "*.myCompany.com"

Unfortunately the IP addresses of the machines are not static.They keep changing once in 6 months or so. So IP based access is not a solution for us.

Please help me to allow only the requests which come from "*.myCompany.com"

Improve this question

1 Answer 1

Reset to default
1

You cannot know who the client is just based on its hostname. You need to have the client authenticate (over SSL, for security), or at least sign what their sending.

If you're curios about "signing", I described it on a simple example in an answer here: C# app should send some data to php website but should respect auth policies

If you can set up SSL certificate on the asmx side, even hard-coding something "secret" (such as a password, kept secure and confidential between the two apps) would do the trick.

Otherwise, maybe you can have the asmx query DNS to get client's IP address, then compare with with incoming request. That means, you cannot restrict by IP at IIS level - you have to validate in asmx. You can do this once, on first request, then keep in memory until it stops working (or until it becomes different), then query DNS again. Maybe even keep this IP somewhere more permanent (such as database), since the IP won't be changing that frequently.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.