I have inherited a conventional three tier web app with ASP.net 2.0 for the UI, .Net web services (ASMX) in the middle tier and SQL Server 2005 for the DB. This is currently an intranet application with the only users being company employees. Currently the application uses Active Directory (AD) authentication.

At the login screen, the user is presented with username / password dialog. The middle tier makes a simple call to the AD to check the username / password. If ok, then a sessionId guid is generated and sent back to the UI. This sessionId is then passed on every subsequent call from the UI within the session. All methods in the middle tier first check the validity of the sessionID against a simple session table in SQL Server, before processing the request.

I now need to make the web services middle tier of the application available to a new UI that will be available to the public internet. I don’t need to worry about authentication because that will be managed by the new UI. However, I don’t want to leave the web services completely open without any security. I just want to be sure that the system calling the services has permission to do so. I don’t want to burden the new UI with having to maintain the sessionIds currently used.

Any views on the best way to secure the services when being called from the new UI? I guess I could use x509 certificates but I’ve done this before so I’m not aware of any disadvantages (performance?) or how to go about the implementation.

The new UI has been developed used .Net 3.5. We can install .Net 3.5 on the middle tier so I guess we could benefit from using WCF?