Vulnerability in EPiServer.Forms
I think there is a problem with that approach, because then my webservice will be running with the rights of the user which is created for the webservice. What I would like is for the webservice to be running with the rights of the person who is using the program which accesses the webservice (and who registered as an episerver user).
Is there some good way to achieve that? It is not an option for me to create every single user as a windows user, and I also don't think it is a good solution to add the person's login and password to every single method of the webservice and then each time programmatically log in that user.
If you have both the client and the server using same active directory, you should be able to act as same user inside EPiServer. Instead of <allow users=""> in your Web.config you should specify <allow roles=""> and have all those users sharing a common role. That way you don't have to add your users anywhere, since they are already in your AD and accessed through WindowsRoleProvider.
I haven't tested this approach myself though, but it could be worth a try.
If the machines doesn't have a common AD, you might have a worse time since 'basic authentication', uses windows for authentication.
I've recently been discussing authentication issues with EPiServer support because we are trying to mirror between live and staging environments using mirroring, however we don't want to be bound to active directory users, so we've opted for the SqlServerMembershipProvider.
In our situation, the word from EPiServer support was that the web services will currently only work with the WindowsMembershipProvider on the destination environment, and using basic authentication rather than forms based authentication.
I have a related issue, only then on IIS7 without a domain.
I tried to set BasicAuthentication on the created WebServices directory in IIS manager, but I cannot disable Forms-Authentication. It says its Read-only and locked.
I guess that's why I stil get an error when pinging my Remote Website:
"The requested web service was found but it not gives a correct response (check the user credentials is correct, that the WebService folder in the IIS not accepts anonymous access for the requested site and the remote site has the BasicAuthentication http module installed in its web.config), see the log file for the full error message."
I read somewhere that I cannot disable Forms, because the settings is "MachineToApplication", although i have no clue how to fix this...