Re: Problems signing request when using Windows Authentication
From: Hervey Wilson [MSFT] (herveyw.nospam_at_online.microsoft.com)
Date: 09/26/04
- Previous message: Hervey Wilson [MSFT]: "Re: X509 Certificate encryption problem"
- In reply to: Julian Jelfs: "RE: Problems signing request when using Windows Authentication"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 25 Sep 2004 23:10:23 -0700
It's not so much "glossed over" as simply impossible. The UsernameToken
requires the plaintext password if you are using Windows authentication.
Even though a web-based UI may be set up for Windows authentication, this
doesn't give that UI access to the plaintext password. Indeed, the only way
to get the password is from the user themselves.
-- This posting is provided "AS IS", with no warranties, and confers no rights. "Julian Jelfs" <JulianJelfs@discussions.microsoft.com> wrote in message news:BC7D44B5-EBF9-4D8E-8355-B1B7DACE0829@microsoft.com... >I wanted to do exactly the same thing as you and had exactly the same > problem. It amazes me that this problem which must be very very common is > totally glossed over in all the documentation. > > The solution I have used is to sign the message with a KerberosToken > instead > of a UserNameToken. This way you do not need access to the password in the > client and you still get access to the authenticated user in the web > service. > There is an article on how to do this here: > > http://www.15seconds.com/issue/040602.htm > > and here's another article to help you work it out when it doesn't work! > > http://support.microsoft.com/default.aspx?scid=kb;en-us;326985 > > It took a little bit of pain, but I got this working in the end. > > Hope it helps. > > > "Andrew Feldman" wrote: > >> Thanks for your response, but in your sample you illustrate my problem. >> When >> Windows Authentication is enabled on the web form, I do not have access >> to >> the users password with which to create the UserNameToken. How can I >> get/create this token such that I can pass it to a web service and have >> the >> service perform authorization based on the same users principal? >> >> "D.Mitchell" wrote: >> >> > I do exactly what you are talking about Andrew. When the request is >> > processed >> > by WSE it checks the user account specified exists with the specified >> > password. You can then allow or disallow the access to the guts of the >> > web >> > method based on the user account benig in a group. >> > >> > Hope this helps - Dominic Mitchell >> > >> > In the client I add a username token to the request. >> > >> > Dim proxy As New myWebServiceWse >> > >> > Dim usernameToken as usernameToken = New >> > usernameToken("myUser","test123",PasswordOption.SendPlainText) >> > >> > proxy.RequestSoapContext.Security.Tokens.Add(usernameToken) >> > >> > Call proxy.myWebMethod() >> > >> > *** In your web method code *** >> > >> > Dim token As UsernameToken >> > token = getUsernameToken(RequestSoapContent.Current) >> > >> > If token.Principal.IsInRole(Dns.GetHostName() & >> > "\requiredGroupForWebMethod") Then >> > Throw New SoapException("Access denied", >> > SoapException.ServerFaultCode) >> > >> > Else >> > 'do it >> > >> > End If >> > >> > Public Function GetUsernameTokenOfRequestAtWebService(ByVal >> > requestContext As SoapContext) As UsernameToken >> > Dim boolFoundUserNameToken As Boolean >> > >> > If IsNothing(requestContext) Then >> > Throw New SoapException("Only SOAP requests are >> > permitted.", >> > SoapException.ClientFaultCode) >> > End If >> > >> > 'when there are no tokens in the request >> > If requestContext.Security.Tokens.Count = 0 Then >> > Throw New SoapException("No security tokens found in >> > the >> > request.", SoapException.ClientFaultCode) >> > >> > 'when there are one or more security tokens in the >> > request >> > Else >> > >> > 'loop over the security tokens in the request >> > Dim token As UsernameToken >> > For Each token In requestContext.Security.Tokens >> > >> > 'when the token is a username token >> > If TypeOf token Is UsernameToken Then >> > boolFoundUserNameToken = True >> > Exit For >> > End If >> > Next >> > >> > 'when found the username token in the request >> > If boolFoundUserNameToken Then >> > Return token >> > >> > 'when not found the username token in the request >> > Else >> > 'when get here, must not have found the required >> > username token in the request >> > Throw New SoapException("UsernameToken not found in >> > security tokens in the request.", SoapException.ClientFaultCode) >> > End If >> > End If >> > End Function >> > >> > "Andrew Feldman" wrote: >> > >> > > Is it possible to crate a UserNameToken on a web form using Windows >> > > Authentication and have that token be authenticated on the web >> > > service >> > > against a Windows account? >> > > >> > > I am using Windows Authentication on my Web UI layer. I would like >> > > to >> > > secure my web service layer with Windows Authentication as well. >> > > I've >> > > created a policy which requires the message be signed by a >> > > UserNameToken. My >> > > problem is how to create such a token in the UI, when the >> > > UserNameToken >> > > constructor requires a user name and password, which from my >> > > perspective has >> > > all been handled by Windows and IIS. It is unacceptable to require >> > > the users >> > > to reenter their info into my app in adition to any Windows/IIS >> > > popups they >> > > may have received. Can I utlize the WindowsPrincipal which ASP.NET >> > > has >> > > created for me in some manner?
- Previous message: Hervey Wilson [MSFT]: "Re: X509 Certificate encryption problem"
- In reply to: Julian Jelfs: "RE: Problems signing request when using Windows Authentication"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
