Re: Overriding X509SecurityTokenManager.AuthenticateToken

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Dilip Krishnan (dkrishnan_at_NOSPAM.geniant.com)
Date: 01/28/05 

Date: Fri, 28 Jan 2005 08:49:08 -0800

Hello Oldman,
    I believe you can.. Lookup in the policy configuration reference IssuerToken.
You can set up a claim for the issuer token to conform to the subject name
supplied as shown below

..
<wse:IssuerToken>
                      <wssp:SecurityToken>
                        <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3>
                        <wssp:Claims>
                            <wssp:SubjectName>CN=Your Issuer Subject name</wssp:SubjectName>
                        </wssp:Claims>
                      </wssp:SecurityToken>
                    </wse:IssuerToken>
..

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

> I don't believe I can use a policy. I am trying to make sure that the
> certificate is issued by us. Clients are only allowed to talk with
> our web service if they have a certificate issued by us. If they do
> not I want the authentication to fail.
>
> Oldman
>
> "Dilip Krishnan" wrote:
>
>> Hello Oldman,
>> Are you sure you cant use policy to implement that 'special' logic.
>> The
>> Authenticate method should just be validating that the certificate it
>> receives
>> is valid (not expired/ trusted etc), unless you want to do something
>> special
>> with the tokens on its way in like, may be add an identity to the
>> token etc..
>> I'd suggest take a look at how you can restrict uses based on policy
>> first.
>> If that doesnt fit the bill write a soap input filter to check all
>> the tokens
>> and throw the security fault in the filter. If you do the same in the
>> token
>> manager you're short circuiting the whole authentication process. By
>> that
>> I mean that you may receive more than on x509 token in the request.
>> In that
>> case you may end up throwing a soap fault even tho' the request had
>> other
>> valid x509 certificates.
>> HTH
>> Regards,
>> Dilip Krishnan
>> MCAD, MCSD.net
>> dkrishnan at geniant dot com
>> http://www.geniant.com
>>> I have some special logic I would like to perform to make sure we
>>> accept a
>>> certain certificate in my webservice.
>>> The X509SecurityTokenManager.AuthenticateToken method has no return
>>> value so
>>> I was wondering what is the proper thing to do when the certificate
>>> is
>>> not
>>> accepted by the WebService? I figured I would throw a security
>>> fault
>>> with
>>> the code set to FailedAuthenticationCode.
>>> Is this the correct thing to do?
>>> Thanks,
>>> Oldman
>>>

Relevant Pages

  • WSE 3.0 Clarification
    ... maintaining all the authenticated tokens within the last X minutes etc... ... between Authentication, Authorization and Security. ... uses Security when talking about Authentication, ... Say we are dealing with X509 MutualSecurity, the client has a Certificate ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • WSE402: The message does not conform to the policy it was mapped t
    ... WSE 2 SP3 webservice that is requiring client side certs and username tokens: ... The message does not conform to the policy it was mapped to. ... expression, SoapEnvelope message, EndpointReference endpoint, String action, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp
    ... Getting around mutual Certificate authentication using ... The client certificates are contained on safenet 2032 tokens ...
    (Pen-Test)
  • RE: Encryption and signing using Security context tokens using WS
    ... In a webfarm scenario wen i try to run the sample using policy the error is ... Tokens in a Web Farm.The built-in SecurityContextService keeps track of the ... //This is the point where to get the SCT service. ... system can look for a certificate with this subject name in the certificate ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: RAS and eTokens
    ... >Second without tokens and I don't see any LDAP packets and the connection is ... The first you should check is the properties for the RAS server under ... There you need to activate the authentication method "Extensible ... "Smart Card or other certificate" under Authentication in the profile. ...
    (microsoft.public.win2000.ras_routing)