Re: WSE 2 and impersonation
From: SA (informatica_at_freemail.nl)
Date: 09/09/04
- Next message: SA: "Re: howto create certificate like Client Private.pfx, Server Private.pfx, Server Public.cer"
- Previous message: SA: "Re: Why can't I step into my web service?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 9 Sep 2004 16:46:59 -0500
Michael:
It seems to me that your problem lies a little bit deeper than
authentication.
I would go back and re-evaluate the architecture of your solution. If you
want to use impersonation, then you are not building an interoperable web
service.
In that scenario, IMHO, .NET Remoting is a much better choice: it does what
you want it to do out of the box, and it is much faster because it can use
the full power of the Windows platform to communicate in binary.
If you are looking to create an interoperable web service, you should not
attempt to impersonate.
My two cents.
HTH,
-- Sven "Michael Riggio" <michael.spam.riggio@spam.unisys.spam.com> wrote in message news:O$YuxEDjEHA.668@tk2msftngp13.phx.gbl... > I guess I'm a bit confused here. For our particular solution, Kerberos is > not an option; however, based on the code below: > > string name = "host/" + System.Net.Dns.GetHostName(); > > KerberosToken tok = new KerberosToken(name); > > PolicyEnforcementSecurityTokenCache.GlobalCache.Add(tok); > > s.PassToken(); > > Can I pass some Windows Principal token or something like that instead of a > Kerberos token, or does this example/functionality only apply for Kerberos? > > Thanks! > -Mike > > "Softwaremaker" <msdn@removethis.softwaremaker.net> wrote in message > news:%23f7VZq7iEHA.2340@TK2MSFTNGP11.phx.gbl... > > Michael, > > > > This is a snippet taken of Simon Horrell's article off MSDN about > > Kerberos...You can refer to the full article thru this link > > > http://msdn.microsoft.com/webservices/building/wse/default.aspx?pull=/library/en-us/dnwse/html/wse2wspolicy.asp > > > > <quoteSnippet> > > Sending a KerberosToken > > If WSE 2.0 is installed on Windows ServerT 2003 or Windows® XP with > Service > > Pack 1, then it has support for Kerberos authentication in the form of a > > KerberosToken. Kerberos has the benefit of being an open security > standard, > > thus promoting interoperability between WSE-enabled Web service > applications > > running on Windows and Web service applications running on non-Windows > > platforms. > > > > The policy below shows how to configure a Web service operation to accept > a > > Kerberos ticket as a security token. > > > > <wsp:Policy wsu:Id="PassKerberosToken"> > > <SecurityToken wsp:Usage="wsp:Required" > > xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext"> > > <TokenType> > > http://schemas.xmlsoap.org/ws/2003/12/kerberos/Kerberosv5ST > > </TokenType> > > </SecurityToken> > > </wsp:Policy> > > > > Again, in this case, because the exact details of a particular Kerberos > > ticket have not been specified, the Web service consumer using this policy > > must populate the PolicyEnforcementSecurityTokenCache with a specific > > token-this time a KerberosToken-before it makes the call to the Web > service > > proxy, as shown here. > > > > string name = "host/" + System.Net.Dns.GetHostName(); > > KerberosToken tok = new KerberosToken(name); > > PolicyEnforcementSecurityTokenCache.GlobalCache.Add(tok); > > s.PassToken(); > > > > The KerberosToken is created from the current Windows user's security > > context-its Principal property is automatically set to this user-so it > wraps > > a Kerberos ticket that allows the Web service consumer (running on behalf > of > > the current user) to communicate with the host specified (the same > machine, > > in this case). > > > > A policy detailing a particular Kerberos ticket to use is shown below. > > > > <wsp:Policy wsu:Id="PassKerberosToken"> > > <SecurityToken wsp:Usage="wsp:Required" > > xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext"> > > <TokenType> > > http://schemas.xmlsoap.org/ws/2003/12/kerberos/Kerberosv5ST > > </TokenType> > > <TokenIssuer>DM</TokenIssuer> > > <Claims> > > <SubjectName>DM\simonh</SubjectName> > > <ServiceName>host/LAP-SIMON</ServiceName> > > </Claims> > > </SecurityToken> > > </wsp:Policy> > > > > In this case, all the Web service consumer using this policy needs to do > is > > call the Web service method, as WSE has all the information it needs to > > obtain a Kerberos ticket and wrap it as a KerberosToken. > > > > s.PassToken(); > > When the message is received by WSE, it automatically maps the Kerberos > > ticket to a Windows user account. > > > > It may be that the machine hosting either the Web service consumer or the > > Web service doesn't support Kerberos, so using a KerberosToken is not an > > option. It may also be that using a UsernameToken is not an option-a > > UsernameToken works fine when passing messages from client to server but > > won't work for messages sent from server to client as the client has no > way > > of verifying the server's password. In this case, perhaps an X.509 > > certificate may be a better choice as the means of specifying credentials. > > </quoteSnippet> > > > > hth. > > -- > > Thank you very much > > > > Warmest Regards, > > Softwaremaker > > Architect | Evangelist | Consultant > > > > +++++++++++++++++++++++++++++++++ > > > > "Michael Riggio" <michael.spam.riggio@spam.unisys.spam.com> wrote in > message > > news:uVsvvG6iEHA.2660@TK2MSFTNGP15.phx.gbl... > > > We don't plan on working with kerberos. Also, it seems that WSE expects > > you > > > to pass the actual username and password to their API... there's no way > to > > > retrieve that information from the principal, as far as I know. It > would > > be > > > great if the WSE API allowed you to pass the principal you want to use > and > > > have it extract the information it needs in order to impersonate. > > > > > > Any other thoughts? > > > > > > "HongMei Ge" <hongmeig@online.microsoft.com> wrote in message > > > news:eNsZ1t5iEHA.2436@TK2MSFTNGP09.phx.gbl... > > > > Can you get a WindowsIdentity out of the principal and invoke > > > "Impersonate"? > > > > > > > > If so, you can try to use kerberos token. Make sure your server side > > > checks > > > > the kerberos token's identity is really the COM caller. > > > > However, it depends on what impersonation permission you can get on > your > > > WSE > > > > 2 client machine to be able achieve that. > > > > > > > > Let me know if this works. > > > > > > > > hongmei > > > > > > > > "Michael Riggio" <michael.spam.riggio@spam.unisys.spam.com> wrote in > > > message > > > > news:u3jOhKuiEHA.4020@TK2MSFTNGP10.phx.gbl... > > > > > I have a WSE 2 server and an older .Net application that I extended > > that > > > > now > > > > > acts as a WSE 2 client. Part of the original functionality of the > > > client > > > > > was that it was available to COM callers. I now want the client to > > > > > impersonate the COM caller and send some soap messages to my WSE 2 > > > server. > > > > > > > > > > Before the client makes the WSE call I am able to grab the current > > user > > > > > principle in order to impersonate, but I'm not sure how to package > > that > > > up > > > > > into the WSE call (WSE seems to want username/password). Any > > thoughts? > > > > > > > > > > Thanks, > > > > > -Mike > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: SA: "Re: howto create certificate like Client Private.pfx, Server Private.pfx, Server Public.cer"
- Previous message: SA: "Re: Why can't I step into my web service?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
