Re: UserName and Kerberos tokens at the same time
- From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 21:22:40 +0100
Hi again Steven,
Again, thank you very much for looking into this problem for me.
I just tried to run my test project on a colleagues machine and he gets the
same error. I guess that there is nothing special in our environment, we
have a normal DC. I used to run kerberos authentication in wse for .NET 1.1
and there it worked fine.
I have tried to run the two Quickstart examples:
WSSecurityKerberosPolicyService and WSSecurityKerberosCodeService and there
I get the following exception (inner exception of a soap exception)
"Security requirements are not satisfied because the security header is not
present in the incoming message.".
But when I run my test project which is using a custom policy I get the
following exception:
WSE2005: Protection requirements in KerberosAssertion are not satisfied
I guess that it basicly is the same problem I am having the the two
solutions.
I can see that the Kerberos is beeing generated and assigned to the proxy.
I am BTW running the web service on the build in ASP . NET Development
Server if that has anything to do with the problem? Has it something to do
with impersonation?
Any ideas??
Thanks Henrik.
"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxxxxx
> Thanks for your followup Henrik,
>
> Then, it seems that the kerberos Token is not quite attached correctly at
> clientside... Have you ensure that the environment is qualified of using
> kerberos authentication, are you in a certain domain environment with a
> KDC(or DC....) ?
>
> Regards,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
> --------------------
> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
> <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
> <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
> Subject: Re: UserName and Kerberos tokens at the same time
> Date: Tue, 29 Nov 2005 20:57:13 +0100
> Lines: 285
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> X-RFC2646: Format=Flowed; Original
> Message-ID: <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx>
> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> NNTP-Posting-Host: 80.63.142.94
> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.dotnet.framework.webservices.enhancements:7770
> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>
> Hi Steven,
>
> Thank you for your reply.
>
> Yes I works well with the UsernameToken.
>
> I get the same exception without the choiceAssertion. I have changed the
> policy to this:
> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
>
> <extensions>
>
> <extension name="kerberosSecurity"
> type="Microsoft.Web.Services3.Design.KerberosAssertion,
> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35" />
>
> <extension name="requireActionHeader"
> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35" />
>
> </extensions>
>
> <policy name="ServicePolicy">
>
> <kerberosSecurity establishSecurityContext="false"
> renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
> ttlInSeconds="300">
>
> <protection>
>
> <request signatureOptions="IncludeAddressing, IncludeTimestamp,
> IncludeSoapBody" encryptBody="true" />
>
> <response signatureOptions="IncludeAddressing, IncludeTimestamp,
> IncludeSoapBody" encryptBody="true" />
>
> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
> IncludeSoapBody" encryptBody="false" />
>
> </protection>
>
> </kerberosSecurity>
>
> <requireActionHeader />
>
> </policy>
>
> </policies>
>
> Do I need some signing or encryption? I guess that I don't need it because
> I
> am running over SSL, but maybe the KerberosAssertion requires it?
>
> Regards
>
> Henrik.
>
> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxxxxx
>> Hi Henrik,
>>
>> From the error message, request message's security header dosn't meet the
>> server policy assertion's requirement. Also this occurs when you using
>> the
>> Kerberos token at clientside, but works well when you using
>> UsernameToken,
>> yes? Have you ever tried only using Kerberos token from clientside
>> (without using choiceAssertion) to see whether you can get kerberos token
>> work correctly?
>>
>> Thanks,
>>
>> Steven Cheng
>> Microsoft Online Support
>>
>> Get Secure! www.microsoft.com/security
>> (This posting is provided "AS IS", with no warranties, and confers no
>> rights.)
>>
>>
>> --------------------
>> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
>> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
>> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
>> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: UserName and Kerberos tokens at the same time
>> Date: Mon, 28 Nov 2005 21:10:22 +0100
>> Lines: 176
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>> X-RFC2646: Format=Flowed; Original
>> Message-ID: <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
>> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
>> NNTP-Posting-Host: 80.63.142.94
>> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>> Xref: TK2MSFTNGXA02.phx.gbl
>> microsoft.public.dotnet.framework.webservices.enhancements:7756
>> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>>
>> Hi Steven,
>>
>> Again thank you very much for your reply. I tried to implement the
>> PolicyChoiceAssertion from the example but now I get an exception when I
>> run
>> with the KerberosAssertion. The code throws the exception when I call
>> HelloWorld in the example below. The PolicyChoiceAssertion is the same as
>> the one from the example.
>>
>> Exception:
>> {"WSE2005: Protection requirements in KerberosAssertion are not
>> satisfied."}
>>
>> It works fine when I run with the UserNameAssertion. My policy looks like
>> this:
>>
>> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
>>
>> <extensions>
>>
>> <extension name="usernameOverTransportSecurity"
>> type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
>> PublicKeyToken=31bf3856ad364e35" />
>>
>> <extension name="kerberosSecurity"
>> type="Microsoft.Web.Services3.Design.KerberosAssertion,
>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
>> PublicKeyToken=31bf3856ad364e35" />
>>
>> <extension name="requireActionHeader"
>> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
>> PublicKeyToken=31bf3856ad364e35" />
>>
>> <extension name="policyChoice"
>> type="MindKey.License.Assertion.PolicyChoiceAssertion, Service Assertion
>> Library"/>
>>
>> </extensions>
>>
>> <policy name="ServicePolicy">
>>
>> <policyChoice>
>>
>> <usernameOverTransportSecurity />
>>
>> <kerberosSecurity establishSecurityContext="false"
>> renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
>> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
>> ttlInSeconds="300">
>>
>> <protection>
>>
>> <request signatureOptions="IncludeAddressing, IncludeTimestamp,
>> IncludeSoapBody" encryptBody="true" />
>>
>> <response signatureOptions="IncludeAddressing, IncludeTimestamp,
>> IncludeSoapBody" encryptBody="true" />
>>
>> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
>> IncludeSoapBody" encryptBody="false" />
>>
>> </protection>
>>
>> </kerberosSecurity>
>>
>> </policyChoice>
>>
>> <requireActionHeader />
>>
>> </policy>
>>
>> </policies>
>>
>> and the code calling using the KerberosAssertion looke like this:
>> TestWS testWS = new TestWS();
>>
>> KerberosAssertion assertion = new KerberosAssertion();
>>
>> assertion.KerberosTokenProvider = new KerberosTokenProvider("host/" +
>> System.Net.Dns.GetHostName(), ImpersonationLevel.Identification);
>>
>> Policy policy = new Policy();
>>
>> policy.Assertions.Add(assertion);
>>
>> testWS.SetPolicy(policy);
>>
>> MessageBox.Show(testWS.HelloWorld());
>>
>>
>> I hope you can helpe me!
>>
>> Thanks Henrik.
>>
>> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
>>> Hi Henrik,
>>>
>>> As for attaching different kind of Security Tokens in client request and
>>> let the serverside policy access and peform authenticate on all of them
>>> (or
>>> some of them...), that's certainly possible. However, currently the
>>> buildin
>>> WSE 3.0 PolicyAssertions (UsernameOverTransport, KerberosSecuirty...
>>> .)
>>> only target a single type of security token. So if you need to have
>>> your
>>> service utilize a policy which will authenticate multiple client
>>> security
>>> tokens (of different types), we should create our own PolicyAssertion
>>> classes. For creating WSE 3.0 custom Policy Assertion, you can refer to
>>> the
>>>
>>> "Custom Policy Assertions "
>>>
>>> section in the WSE 3.0 Document. And the QuickStart samples also
>>> including
>>> Custom Policy example. Also, the important things is that we need to
>>> deinfe
>>> the proper InputFilters and OutputFilters for our custom
>>> PolicyAssertion.
>>> And for secuirty Policy Assertion, we should make our inputFilter and
>>> outpuFilter derived from "ReceiveSecurityFilter" and
>>> "SendSecurityFilter"
>>> class.
>>>
>>> After we define the custom PolicyAssertion, we can use it
>>> programmatically
>>> in code or define in Policy file statically.
>>>
>>> Hope helps. Thanks,
>>>
>>> Steven Cheng
>>> Microsoft Online Support
>>>
>>> Get Secure! www.microsoft.com/security
>>> (This posting is provided "AS IS", with no warranties, and confers no
>>> rights.)
>>>
>>>
>>>
>>> --------------------
>>> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
>>> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
>>> Subject: Re: UserName and Kerberos tokens at the same time
>>> Date: Thu, 24 Nov 2005 17:29:10 +0100
>>> Lines: 19
>>> X-Priority: 3
>>> X-MSMail-Priority: Normal
>>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>> X-RFC2646: Format=Flowed; Response
>>> Message-ID: <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
>>> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
>>> NNTP-Posting-Host: 80.63.142.94
>>> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>>> Xref: TK2MSFTNGXA02.phx.gbl
>>> microsoft.public.dotnet.framework.webservices.enhancements:7731
>>> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>>>
>>> Extra comment:
>>>
>>> It should also be a policy.
>>>
>>> "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
>>> news:uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi,
>>>>
>>>> I would like to authorize the user using a Kerberos, a UserName or at
>>>> custom token depending on what I receive from the user.
>>>>
>>>> Is that possible?
>>>>
>>>> Thanks
>>>>
>>>> Henrik
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
.
- Follow-Ups:
- Re: UserName and Kerberos tokens at the same time
- From: Henrik Skak Pedersen
- Re: UserName and Kerberos tokens at the same time
- References:
- Re: UserName and Kerberos tokens at the same time
- From: Steven Cheng[MSFT]
- Re: UserName and Kerberos tokens at the same time
- Prev by Date: Signature Block in the signed message..
- Next by Date: Re: UserName and Kerberos tokens at the same time
- Previous by thread: Re: UserName and Kerberos tokens at the same time
- Next by thread: Re: UserName and Kerberos tokens at the same time
- Index(es):
Relevant Pages
|
|
