Re: UserName and Kerberos tokens at the same time

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Thanks for your followup Henrik,
\par
\par Then, it seems that the kerberos Token is not quite attached correctly at clientside... Have you ensure that the environment is qualified of using kerberos authentication, are you in a certain domain environment with a KDC(or DC....) ?
\par
\par Regards,
\par
\par Steven Cheng
\par Microsoft Online Support
\par
\par Get Secure! www.microsoft.com/security
\par (This posting is provided "AS IS", with no warranties, and confers no rights.)
\par
\par \pard\li720 --------------------
\par From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx> <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx> <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
\par Subject: Re: UserName and Kerberos tokens at the same time
\par Date: Tue, 29 Nov 2005 20:57:13 +0100
\par Lines: 285
\par X-Priority: 3
\par X-MSMail-Priority: Normal
\par X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par X-RFC2646: Format=Flowed; Original
\par Message-ID: <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx>
\par Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par NNTP-Posting-Host: 80.63.142.94
\par Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
\par Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:7770
\par X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par
\par Hi Steven,
\par
\par Thank you for your reply.
\par
\par Yes I works well with the UsernameToken.
\par
\par I get the same exception without the choiceAssertion. I have changed the
\par policy to this:
\par <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
\par
\par <extensions>
\par
\par <extension name="kerberosSecurity"
\par type="Microsoft.Web.Services3.Design.KerberosAssertion,
\par Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par PublicKeyToken=31bf3856ad364e35" />
\par
\par <extension name="requireActionHeader"
\par type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
\par Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par PublicKeyToken=31bf3856ad364e35" />
\par
\par </extensions>
\par
\par <policy name="ServicePolicy">
\par
\par <kerberosSecurity establishSecurityContext="false"
\par renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
\par messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
\par ttlInSeconds="300">
\par
\par <protection>
\par
\par <request signatureOptions="IncludeAddressing, IncludeTimestamp,
\par IncludeSoapBody" encryptBody="true" />
\par
\par <response signatureOptions="IncludeAddressing, IncludeTimestamp,
\par IncludeSoapBody" encryptBody="true" />
\par
\par <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
\par IncludeSoapBody" encryptBody="false" />
\par
\par </protection>
\par
\par </kerberosSecurity>
\par
\par <requireActionHeader />
\par
\par </policy>
\par
\par </policies>
\par
\par Do I need some signing or encryption? I guess that I don't need it because I
\par am running over SSL, but maybe the KerberosAssertion requires it?
\par
\par Regards
\par
\par Henrik.
\par
\par "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par news:7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxxxxx
\par > Hi Henrik,
\par >
\par > From the error message, request message's security header dosn't meet the
\par > server policy assertion's requirement. Also this occurs when you using the
\par > Kerberos token at clientside, but works well when you using UsernameToken,
\par > yes? Have you ever tried only using Kerberos token from clientside
\par > (without using choiceAssertion) to see whether you can get kerberos token
\par > work correctly?
\par >
\par > Thanks,
\par >
\par > Steven Cheng
\par > Microsoft Online Support
\par >
\par > Get Secure! www.microsoft.com/security
\par > (This posting is provided "AS IS", with no warranties, and confers no
\par > rights.)
\par >
\par >
\par > --------------------
\par > From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par > References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
\par > <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
\par > <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
\par > Subject: Re: UserName and Kerberos tokens at the same time
\par > Date: Mon, 28 Nov 2005 21:10:22 +0100
\par > Lines: 176
\par > X-Priority: 3
\par > X-MSMail-Priority: Normal
\par > X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par > X-RFC2646: Format=Flowed; Original
\par > Message-ID: <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
\par > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par > NNTP-Posting-Host: 80.63.142.94
\par > Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
\par > Xref: TK2MSFTNGXA02.phx.gbl
\par > microsoft.public.dotnet.framework.webservices.enhancements:7756
\par > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >
\par > Hi Steven,
\par >
\par > Again thank you very much for your reply. I tried to implement the
\par > PolicyChoiceAssertion from the example but now I get an exception when I
\par > run
\par > with the KerberosAssertion. The code throws the exception when I call
\par > HelloWorld in the example below. The PolicyChoiceAssertion is the same as
\par > the one from the example.
\par >
\par > Exception:
\par > \{"WSE2005: Protection requirements in KerberosAssertion are not
\par > satisfied."\}
\par >
\par > It works fine when I run with the UserNameAssertion. My policy looks like
\par > this:
\par >
\par > <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
\par >
\par > <extensions>
\par >
\par > <extension name="usernameOverTransportSecurity"
\par > type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
\par > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par > PublicKeyToken=31bf3856ad364e35" />
\par >
\par > <extension name="kerberosSecurity"
\par > type="Microsoft.Web.Services3.Design.KerberosAssertion,
\par > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par > PublicKeyToken=31bf3856ad364e35" />
\par >
\par > <extension name="requireActionHeader"
\par > type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
\par > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par > PublicKeyToken=31bf3856ad364e35" />
\par >
\par > <extension name="policyChoice"
\par > type="MindKey.License.Assertion.PolicyChoiceAssertion, Service Assertion
\par > Library"/>
\par >
\par > </extensions>
\par >
\par > <policy name="ServicePolicy">
\par >
\par > <policyChoice>
\par >
\par > <usernameOverTransportSecurity />
\par >
\par > <kerberosSecurity establishSecurityContext="false"
\par > renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
\par > messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
\par > ttlInSeconds="300">
\par >
\par > <protection>
\par >
\par > <request signatureOptions="IncludeAddressing, IncludeTimestamp,
\par > IncludeSoapBody" encryptBody="true" />
\par >
\par > <response signatureOptions="IncludeAddressing, IncludeTimestamp,
\par > IncludeSoapBody" encryptBody="true" />
\par >
\par > <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
\par > IncludeSoapBody" encryptBody="false" />
\par >
\par > </protection>
\par >
\par > </kerberosSecurity>
\par >
\par > </policyChoice>
\par >
\par > <requireActionHeader />
\par >
\par > </policy>
\par >
\par > </policies>
\par >
\par > and the code calling using the KerberosAssertion looke like this:
\par > TestWS testWS = new TestWS();
\par >
\par > KerberosAssertion assertion = new KerberosAssertion();
\par >
\par > assertion.KerberosTokenProvider = new KerberosTokenProvider("host/" +
\par > System.Net.Dns.GetHostName(), ImpersonationLevel.Identification);
\par >
\par > Policy policy = new Policy();
\par >
\par > policy.Assertions.Add(assertion);
\par >
\par > testWS.SetPolicy(policy);
\par >
\par > MessageBox.Show(testWS.HelloWorld());
\par >
\par >
\par > I hope you can helpe me!
\par >
\par > Thanks Henrik.
\par >
\par > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par > news:dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
\par >> Hi Henrik,
\par >>
\par >> As for attaching different kind of Security Tokens in client request and
\par >> let the serverside policy access and peform authenticate on all of them
\par >> (or
\par >> some of them...), that's certainly possible. However, currently the
\par >> buildin
\par >> WSE 3.0 PolicyAssertions (UsernameOverTransport, KerberosSecuirty...
\par >> .)
\par >> only target a single type of security token. So if you need to have your
\par >> service utilize a policy which will authenticate multiple client security
\par >> tokens (of different types), we should create our own PolicyAssertion
\par >> classes. For creating WSE 3.0 custom Policy Assertion, you can refer to
\par >> the
\par >>
\par >> "Custom Policy Assertions "
\par >>
\par >> section in the WSE 3.0 Document. And the QuickStart samples also
\par >> including
\par >> Custom Policy example. Also, the important things is that we need to
\par >> deinfe
\par >> the proper InputFilters and OutputFilters for our custom PolicyAssertion.
\par >> And for secuirty Policy Assertion, we should make our inputFilter and
\par >> outpuFilter derived from "ReceiveSecurityFilter" and
\par >> "SendSecurityFilter"
\par >> class.
\par >>
\par >> After we define the custom PolicyAssertion, we can use it
\par >> programmatically
\par >> in code or define in Policy file statically.
\par >>
\par >> Hope helps. Thanks,
\par >>
\par >> Steven Cheng
\par >> Microsoft Online Support
\par >>
\par >> Get Secure! www.microsoft.com/security
\par >> (This posting is provided "AS IS", with no warranties, and confers no
\par >> rights.)
\par >>
\par >>
\par >>
\par >> --------------------
\par >> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par >> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
\par >> Subject: Re: UserName and Kerberos tokens at the same time
\par >> Date: Thu, 24 Nov 2005 17:29:10 +0100
\par >> Lines: 19
\par >> X-Priority: 3
\par >> X-MSMail-Priority: Normal
\par >> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par >> X-RFC2646: Format=Flowed; Response
\par >> Message-ID: <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
\par >> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par >> NNTP-Posting-Host: 80.63.142.94
\par >> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
\par >> Xref: TK2MSFTNGXA02.phx.gbl
\par >> microsoft.public.dotnet.framework.webservices.enhancements:7731
\par >> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >>
\par >> Extra comment:
\par >>
\par >> It should also be a policy.
\par >>
\par >> "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
\par >> news:uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxxxxx
\par >>> Hi,
\par >>>
\par >>> I would like to authorize the user using a Kerberos, a UserName or at
\par >>> custom token depending on what I receive from the user.
\par >>>
\par >>> Is that possible?
\par >>>
\par >>> Thanks
\par >>>
\par >>> Henrik
\par >>>
\par >>
\par >>
\par >>
\par >
\par >
\par >
\par
\par
\par \pard
\par
\par }