Secure Conversation vs Standard

From: Asif Ansari (asifkansari_at_gmail.com)
Date: 10/22/04

• Next message: Julie Lerman: "Re: quickstart X.509 sample - certificate current user "Address book" - Other People"
• Previous message: hazz: "quickstart X.509 sample - certificate current user "Address book" - Other People"
• Messages sorted by: [ date ] [ thread ]

---

Date: 22 Oct 2004 13:55:14 -0700

Hi,

I am in a confused state and would appreciate if somebody would help
me remove my confusion.. But please bear with me- I am new to
WS-Security..

Initially I was creating an ASP.NET application wherein I was sending
a signed and encrypted Username token to the Web Server for the
initial login method. In CustomUsernameTokenManager I was able to
authenticate the user credentials against Active Directory and was
subsequently able to obtain roles for the user and assign it to the
GenericPrincipal Object. I then used the IsInRole Property in every
web method of that service to check if the user had the proper
priviliges.

Then I went through the Secure Converstaion Sample and that looked
easy and straigtforward. It uses UsernameToken to sign and X.509
Certificates to encrypt the security token obatined from the token
issuer.

However I would like to implement the following:
I want to use Secure Conversation.
I want to use X.509 Certificates to sign and encrypt the token
obtained and not the Username Token to sign.
In addition I would like to also send the Username and password for a
user stored in Active Directory( do I have to send it as Username
Token) so that I can authenticate and obtain user groups the way I was
doing previously. Then use the IsInRole property to check if he has
privileges..

Can this be done and how?? Can someone shed some light please...

Thank You so much..
Regards,
Asif

---

• Next message: Julie Lerman: "Re: quickstart X.509 sample - certificate current user "Address book" - Other People"
• Previous message: hazz: "quickstart X.509 sample - certificate current user "Address book" - Other People"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: WSE 3.0 + UserNameToken without X.509 Cert/Kerberos + Signing + Encryption How? ... message security and thefore it does not encrypt the message. ... You need to combine this assertion with a secure transport like SSL if you ... between client and server using a UserNameToken that passes the UserName ... (microsoft.public.dotnet.framework.webservices.enhancements) Re: WSE 2.0 SP2: UsernameTokens must be encrypted to request SCT? ... William Stacey, MVP ... > The SecurityTokenServiceClient class will now automatically encrypt any ... > Username tokens included in a request. ... (microsoft.public.dotnet.framework.webservices.enhancements) Re: Encrypt a UsernameToken Authenticated WSE Response ... username and passwort und the data is symmetric encrypted, ... >> Decrypt) a SOAP Message by Using a Username and Password". ... But when I start my Client Application and call my ... >>> so that is used to generate a key to encrypt with. ... (microsoft.public.dotnet.framework.webservices.enhancements) Password security ... choosing relies on AES ecryption, where the password is converted to a ... key, and the key is used to encrypt a text, which is compared to see if ... The user name is written in the section of the most signifigant bits ... however, depending on the size of the username and password, these 2 ... (sci.crypt) Re: WSE 3.0 cert question ... Since you are using SSL, the username token will be encrypted ... encrypt this UsernameToken so using an X509 cert sounds like the logical ... boxes (click-once install only) so making the client install a cert into ... (microsoft.public.dotnet.framework.webservices.enhancements)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)