Re: UserName and Kerberos tokens at the same time
- From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
- Date: Fri, 2 Dec 2005 13:25:57 +0100
Extra info:
If I run the example Kerberos solution I get some a detailed error message:
Microsoft.Web.Services3.Security.SecurityFault: An invalid security token
was provided ---> System.Security.SecurityException: WSE594:
AcceptSecurityContext call failed with the following error message: Logon
failure: unknown user name or bad password. . at
Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosServerContext.AcceptContext(Byte[]
inToken) at
Does that help you in any way?
"Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
news:Osge9Tr9FHA.4036@xxxxxxxxxxxxxxxxxxxxxxx
> Hi again Steven,
>
> Again, thank you very much for looking into this problem for me.
>
> I just tried to run my test project on a colleagues machine and he gets
> the same error. I guess that there is nothing special in our environment,
> we have a normal DC. I used to run kerberos authentication in wse for .NET
> 1.1 and there it worked fine.
>
> I have tried to run the two Quickstart examples:
> WSSecurityKerberosPolicyService and WSSecurityKerberosCodeService and
> there I get the following exception (inner exception of a soap exception)
>
> "Security requirements are not satisfied because the security header is
> not present in the incoming message.".
>
> But when I run my test project which is using a custom policy I get the
> following exception:
>
> WSE2005: Protection requirements in KerberosAssertion are not satisfied
>
> I guess that it basicly is the same problem I am having the the two
> solutions.
>
> I can see that the Kerberos is beeing generated and assigned to the proxy.
>
> I am BTW running the web service on the build in ASP . NET Development
> Server if that has anything to do with the problem? Has it something to do
> with impersonation?
>
> Any ideas??
>
> Thanks Henrik.
>
>
> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxxxxx
>> Thanks for your followup Henrik,
>>
>> Then, it seems that the kerberos Token is not quite attached correctly at
>> clientside... Have you ensure that the environment is qualified of using
>> kerberos authentication, are you in a certain domain environment with a
>> KDC(or DC....) ?
>>
>> Regards,
>>
>> Steven Cheng
>> Microsoft Online Support
>>
>> Get Secure! www.microsoft.com/security
>> (This posting is provided "AS IS", with no warranties, and confers no
>> rights.)
>>
>> --------------------
>> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
>> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
>> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
>> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
>> <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
>> <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: UserName and Kerberos tokens at the same time
>> Date: Tue, 29 Nov 2005 20:57:13 +0100
>> Lines: 285
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>> X-RFC2646: Format=Flowed; Original
>> Message-ID: <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx>
>> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
>> NNTP-Posting-Host: 80.63.142.94
>> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
>> Xref: TK2MSFTNGXA02.phx.gbl
>> microsoft.public.dotnet.framework.webservices.enhancements:7770
>> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>>
>> Hi Steven,
>>
>> Thank you for your reply.
>>
>> Yes I works well with the UsernameToken.
>>
>> I get the same exception without the choiceAssertion. I have changed the
>> policy to this:
>> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
>>
>> <extensions>
>>
>> <extension name="kerberosSecurity"
>> type="Microsoft.Web.Services3.Design.KerberosAssertion,
>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
>> PublicKeyToken=31bf3856ad364e35" />
>>
>> <extension name="requireActionHeader"
>> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
>> PublicKeyToken=31bf3856ad364e35" />
>>
>> </extensions>
>>
>> <policy name="ServicePolicy">
>>
>> <kerberosSecurity establishSecurityContext="false"
>> renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
>> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
>> ttlInSeconds="300">
>>
>> <protection>
>>
>> <request signatureOptions="IncludeAddressing, IncludeTimestamp,
>> IncludeSoapBody" encryptBody="true" />
>>
>> <response signatureOptions="IncludeAddressing, IncludeTimestamp,
>> IncludeSoapBody" encryptBody="true" />
>>
>> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
>> IncludeSoapBody" encryptBody="false" />
>>
>> </protection>
>>
>> </kerberosSecurity>
>>
>> <requireActionHeader />
>>
>> </policy>
>>
>> </policies>
>>
>> Do I need some signing or encryption? I guess that I don't need it
>> because
>> I
>> am running over SSL, but maybe the KerberosAssertion requires it?
>>
>> Regards
>>
>> Henrik.
>>
>> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxxxxx
>>> Hi Henrik,
>>>
>>> From the error message, request message's security header dosn't meet
>>> the
>>> server policy assertion's requirement. Also this occurs when you using
>>> the
>>> Kerberos token at clientside, but works well when you using
>>> UsernameToken,
>>> yes? Have you ever tried only using Kerberos token from clientside
>>> (without using choiceAssertion) to see whether you can get kerberos
>>> token
>>> work correctly?
>>>
>>> Thanks,
>>>
>>> Steven Cheng
>>> Microsoft Online Support
>>>
>>> Get Secure! www.microsoft.com/security
>>> (This posting is provided "AS IS", with no warranties, and confers no
>>> rights.)
>>>
>>>
>>> --------------------
>>> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
>>> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
>>> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
>>> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
>>> Subject: Re: UserName and Kerberos tokens at the same time
>>> Date: Mon, 28 Nov 2005 21:10:22 +0100
>>> Lines: 176
>>> X-Priority: 3
>>> X-MSMail-Priority: Normal
>>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>> X-RFC2646: Format=Flowed; Original
>>> Message-ID: <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
>>> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
>>> NNTP-Posting-Host: 80.63.142.94
>>> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>>> Xref: TK2MSFTNGXA02.phx.gbl
>>> microsoft.public.dotnet.framework.webservices.enhancements:7756
>>> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>>>
>>> Hi Steven,
>>>
>>> Again thank you very much for your reply. I tried to implement the
>>> PolicyChoiceAssertion from the example but now I get an exception when I
>>> run
>>> with the KerberosAssertion. The code throws the exception when I call
>>> HelloWorld in the example below. The PolicyChoiceAssertion is the same
>>> as
>>> the one from the example.
>>>
>>> Exception:
>>> {"WSE2005: Protection requirements in KerberosAssertion are not
>>> satisfied."}
>>>
>>> It works fine when I run with the UserNameAssertion. My policy looks
>>> like
>>> this:
>>>
>>> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
>>>
>>> <extensions>
>>>
>>> <extension name="usernameOverTransportSecurity"
>>> type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
>>> PublicKeyToken=31bf3856ad364e35" />
>>>
>>> <extension name="kerberosSecurity"
>>> type="Microsoft.Web.Services3.Design.KerberosAssertion,
>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
>>> PublicKeyToken=31bf3856ad364e35" />
>>>
>>> <extension name="requireActionHeader"
>>> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
>>> PublicKeyToken=31bf3856ad364e35" />
>>>
>>> <extension name="policyChoice"
>>> type="MindKey.License.Assertion.PolicyChoiceAssertion, Service Assertion
>>> Library"/>
>>>
>>> </extensions>
>>>
>>> <policy name="ServicePolicy">
>>>
>>> <policyChoice>
>>>
>>> <usernameOverTransportSecurity />
>>>
>>> <kerberosSecurity establishSecurityContext="false"
>>> renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
>>> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
>>> ttlInSeconds="300">
>>>
>>> <protection>
>>>
>>> <request signatureOptions="IncludeAddressing, IncludeTimestamp,
>>> IncludeSoapBody" encryptBody="true" />
>>>
>>> <response signatureOptions="IncludeAddressing, IncludeTimestamp,
>>> IncludeSoapBody" encryptBody="true" />
>>>
>>> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
>>> IncludeSoapBody" encryptBody="false" />
>>>
>>> </protection>
>>>
>>> </kerberosSecurity>
>>>
>>> </policyChoice>
>>>
>>> <requireActionHeader />
>>>
>>> </policy>
>>>
>>> </policies>
>>>
>>> and the code calling using the KerberosAssertion looke like this:
>>> TestWS testWS = new TestWS();
>>>
>>> KerberosAssertion assertion = new KerberosAssertion();
>>>
>>> assertion.KerberosTokenProvider = new KerberosTokenProvider("host/" +
>>> System.Net.Dns.GetHostName(), ImpersonationLevel.Identification);
>>>
>>> Policy policy = new Policy();
>>>
>>> policy.Assertions.Add(assertion);
>>>
>>> testWS.SetPolicy(policy);
>>>
>>> MessageBox.Show(testWS.HelloWorld());
>>>
>>>
>>> I hope you can helpe me!
>>>
>>> Thanks Henrik.
>>>
>>> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
>>> news:dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi Henrik,
>>>>
>>>> As for attaching different kind of Security Tokens in client request
>>>> and
>>>> let the serverside policy access and peform authenticate on all of them
>>>> (or
>>>> some of them...), that's certainly possible. However, currently the
>>>> buildin
>>>> WSE 3.0 PolicyAssertions (UsernameOverTransport, KerberosSecuirty...
>>>> .)
>>>> only target a single type of security token. So if you need to have
>>>> your
>>>> service utilize a policy which will authenticate multiple client
>>>> security
>>>> tokens (of different types), we should create our own PolicyAssertion
>>>> classes. For creating WSE 3.0 custom Policy Assertion, you can refer
>>>> to
>>>> the
>>>>
>>>> "Custom Policy Assertions "
>>>>
>>>> section in the WSE 3.0 Document. And the QuickStart samples also
>>>> including
>>>> Custom Policy example. Also, the important things is that we need to
>>>> deinfe
>>>> the proper InputFilters and OutputFilters for our custom
>>>> PolicyAssertion.
>>>> And for secuirty Policy Assertion, we should make our inputFilter and
>>>> outpuFilter derived from "ReceiveSecurityFilter" and
>>>> "SendSecurityFilter"
>>>> class.
>>>>
>>>> After we define the custom PolicyAssertion, we can use it
>>>> programmatically
>>>> in code or define in Policy file statically.
>>>>
>>>> Hope helps. Thanks,
>>>>
>>>> Steven Cheng
>>>> Microsoft Online Support
>>>>
>>>> Get Secure! www.microsoft.com/security
>>>> (This posting is provided "AS IS", with no warranties, and confers no
>>>> rights.)
>>>>
>>>>
>>>>
>>>> --------------------
>>>> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
>>>> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
>>>> Subject: Re: UserName and Kerberos tokens at the same time
>>>> Date: Thu, 24 Nov 2005 17:29:10 +0100
>>>> Lines: 19
>>>> X-Priority: 3
>>>> X-MSMail-Priority: Normal
>>>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>>> X-RFC2646: Format=Flowed; Response
>>>> Message-ID: <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
>>>> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
>>>> NNTP-Posting-Host: 80.63.142.94
>>>> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>>>> Xref: TK2MSFTNGXA02.phx.gbl
>>>> microsoft.public.dotnet.framework.webservices.enhancements:7731
>>>> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>>>>
>>>> Extra comment:
>>>>
>>>> It should also be a policy.
>>>>
>>>> "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
>>>> news:uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Hi,
>>>>>
>>>>> I would like to authorize the user using a Kerberos, a UserName or at
>>>>> custom token depending on what I receive from the user.
>>>>>
>>>>> Is that possible?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Henrik
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
.
- Follow-Ups:
- Re: UserName and Kerberos tokens at the same time
- From: Steven Cheng[MSFT]
- Re: UserName and Kerberos tokens at the same time
- References:
- Re: UserName and Kerberos tokens at the same time
- From: Steven Cheng[MSFT]
- Re: UserName and Kerberos tokens at the same time
- From: Henrik Skak Pedersen
- Re: UserName and Kerberos tokens at the same time
- Prev by Date: Very large file upload using WS(E)
- Next by Date: Re: UserName and Kerberos tokens at the same time
- Previous by thread: Re: UserName and Kerberos tokens at the same time
- Next by thread: Re: UserName and Kerberos tokens at the same time
- Index(es):
Relevant Pages
|
|
