Re: UserName and Kerberos tokens at the same time

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Thanks for your respone and further info.
\par
\par I think the problem is likely due to the ASP.NET environment. Is your client application(which call the webservice) is also an asp.net application? The kerberos Security token will try establish the security token through the current exection context's security credential which must be a domain user account that can be authenticated by KDC(normally just the DC). So for ASP.NET the process identity is probably not a proper account. I would suggest you tried the code in a winform client or console application, the console app since in console or winform app, the current security context is the logon user session(which is likely a domain user .... ) ...
\par
\par Also, you can also check the following notes in wse documentation( if your webservice is on a machine other than win 2003 server):
\par ====================
\par Kerberos tokens work on computers with Windows Server 2003 or Windows XP with Service Pack 1 installed. When Windows XP is used, the account ASP.NET runs under is ASPNET by default and must be granted the Act as part of the operating system privilege. By default, the ASPNET account does not have this privilege. It is suggested that you run your Kerberos-secured Web services on Windows Server 2003. On Windows Server 2003, the Act as part of the operating system privilege is not required. On Windows XP you can configure the ASPNET account to have the Act as part of the operating system privilege using the Local Security Policy management application, but you should be aware that this affects all ASP.NET applications and results in less security for ASP.NET applications. Windows 2000 is not a supported operating system for this feature.
\par
\par ===================
\par
\par Thanks,
\par
\par Steven Cheng
\par Microsoft Online Support
\par
\par Get Secure! www.microsoft.com/security
\par (This posting is provided "AS IS", with no warranties, and confers no rights.)
\par
\par
\par
\par \pard\li720 --------------------
\par From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx> <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx> <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx> <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx> <t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxx> <Osge9Tr9FHA.4036@xxxxxxxxxxxxxxxxxxxx>
\par Subject: Re: UserName and Kerberos tokens at the same time
\par Date: Fri, 2 Dec 2005 13:25:57 +0100
\par Lines: 394
\par X-Priority: 3
\par X-MSMail-Priority: Normal
\par X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par X-RFC2646: Format=Flowed; Response
\par Message-ID: <#WX2Nuz9FHA.2708@xxxxxxxxxxxxxxxxxxxx>
\par Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par NNTP-Posting-Host: 80.63.142.94
\par Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
\par Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:7813
\par X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par
\par Extra info:
\par
\par If I run the example Kerberos solution I get some a detailed error message:
\par
\par Microsoft.Web.Services3.Security.SecurityFault: An invalid security token
\par was provided ---> System.Security.SecurityException: WSE594:
\par AcceptSecurityContext call failed with the following error message: Logon
\par failure: unknown user name or bad password. . at
\par Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosServerContext.AcceptContext(Byte[]
\par inToken) at
\par
\par Does that help you in any way?
\par
\par "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
\par news:Osge9Tr9FHA.4036@xxxxxxxxxxxxxxxxxxxxxxx
\par > Hi again Steven,
\par >
\par > Again, thank you very much for looking into this problem for me.
\par >
\par > I just tried to run my test project on a colleagues machine and he gets
\par > the same error. I guess that there is nothing special in our environment,
\par > we have a normal DC. I used to run kerberos authentication in wse for .NET
\par > 1.1 and there it worked fine.
\par >
\par > I have tried to run the two Quickstart examples:
\par > WSSecurityKerberosPolicyService and WSSecurityKerberosCodeService and
\par > there I get the following exception (inner exception of a soap exception)
\par >
\par > "Security requirements are not satisfied because the security header is
\par > not present in the incoming message.".
\par >
\par > But when I run my test project which is using a custom policy I get the
\par > following exception:
\par >
\par > WSE2005: Protection requirements in KerberosAssertion are not satisfied
\par >
\par > I guess that it basicly is the same problem I am having the the two
\par > solutions.
\par >
\par > I can see that the Kerberos is beeing generated and assigned to the proxy.
\par >
\par > I am BTW running the web service on the build in ASP . NET Development
\par > Server if that has anything to do with the problem? Has it something to do
\par > with impersonation?
\par >
\par > Any ideas??
\par >
\par > Thanks Henrik.
\par >
\par >
\par > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par > news:t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxxxxx
\par >> Thanks for your followup Henrik,
\par >>
\par >> Then, it seems that the kerberos Token is not quite attached correctly at
\par >> clientside... Have you ensure that the environment is qualified of using
\par >> kerberos authentication, are you in a certain domain environment with a
\par >> KDC(or DC....) ?
\par >>
\par >> Regards,
\par >>
\par >> Steven Cheng
\par >> Microsoft Online Support
\par >>
\par >> Get Secure! www.microsoft.com/security
\par >> (This posting is provided "AS IS", with no warranties, and confers no
\par >> rights.)
\par >>
\par >> --------------------
\par >> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par >> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
\par >> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
\par >> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
\par >> <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
\par >> <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
\par >> Subject: Re: UserName and Kerberos tokens at the same time
\par >> Date: Tue, 29 Nov 2005 20:57:13 +0100
\par >> Lines: 285
\par >> X-Priority: 3
\par >> X-MSMail-Priority: Normal
\par >> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par >> X-RFC2646: Format=Flowed; Original
\par >> Message-ID: <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx>
\par >> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par >> NNTP-Posting-Host: 80.63.142.94
\par >> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
\par >> Xref: TK2MSFTNGXA02.phx.gbl
\par >> microsoft.public.dotnet.framework.webservices.enhancements:7770
\par >> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >>
\par >> Hi Steven,
\par >>
\par >> Thank you for your reply.
\par >>
\par >> Yes I works well with the UsernameToken.
\par >>
\par >> I get the same exception without the choiceAssertion. I have changed the
\par >> policy to this:
\par >> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
\par >>
\par >> <extensions>
\par >>
\par >> <extension name="kerberosSecurity"
\par >> type="Microsoft.Web.Services3.Design.KerberosAssertion,
\par >> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par >> PublicKeyToken=31bf3856ad364e35" />
\par >>
\par >> <extension name="requireActionHeader"
\par >> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
\par >> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par >> PublicKeyToken=31bf3856ad364e35" />
\par >>
\par >> </extensions>
\par >>
\par >> <policy name="ServicePolicy">
\par >>
\par >> <kerberosSecurity establishSecurityContext="false"
\par >> renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
\par >> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
\par >> ttlInSeconds="300">
\par >>
\par >> <protection>
\par >>
\par >> <request signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >> IncludeSoapBody" encryptBody="true" />
\par >>
\par >> <response signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >> IncludeSoapBody" encryptBody="true" />
\par >>
\par >> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >> IncludeSoapBody" encryptBody="false" />
\par >>
\par >> </protection>
\par >>
\par >> </kerberosSecurity>
\par >>
\par >> <requireActionHeader />
\par >>
\par >> </policy>
\par >>
\par >> </policies>
\par >>
\par >> Do I need some signing or encryption? I guess that I don't need it
\par >> because
\par >> I
\par >> am running over SSL, but maybe the KerberosAssertion requires it?
\par >>
\par >> Regards
\par >>
\par >> Henrik.
\par >>
\par >> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par >> news:7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxxxxx
\par >>> Hi Henrik,
\par >>>
\par >>> From the error message, request message's security header dosn't meet
\par >>> the
\par >>> server policy assertion's requirement. Also this occurs when you using
\par >>> the
\par >>> Kerberos token at clientside, but works well when you using
\par >>> UsernameToken,
\par >>> yes? Have you ever tried only using Kerberos token from clientside
\par >>> (without using choiceAssertion) to see whether you can get kerberos
\par >>> token
\par >>> work correctly?
\par >>>
\par >>> Thanks,
\par >>>
\par >>> Steven Cheng
\par >>> Microsoft Online Support
\par >>>
\par >>> Get Secure! www.microsoft.com/security
\par >>> (This posting is provided "AS IS", with no warranties, and confers no
\par >>> rights.)
\par >>>
\par >>>
\par >>> --------------------
\par >>> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par >>> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
\par >>> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
\par >>> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
\par >>> Subject: Re: UserName and Kerberos tokens at the same time
\par >>> Date: Mon, 28 Nov 2005 21:10:22 +0100
\par >>> Lines: 176
\par >>> X-Priority: 3
\par >>> X-MSMail-Priority: Normal
\par >>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par >>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par >>> X-RFC2646: Format=Flowed; Original
\par >>> Message-ID: <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
\par >>> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par >>> NNTP-Posting-Host: 80.63.142.94
\par >>> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
\par >>> Xref: TK2MSFTNGXA02.phx.gbl
\par >>> microsoft.public.dotnet.framework.webservices.enhancements:7756
\par >>> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >>>
\par >>> Hi Steven,
\par >>>
\par >>> Again thank you very much for your reply. I tried to implement the
\par >>> PolicyChoiceAssertion from the example but now I get an exception when I
\par >>> run
\par >>> with the KerberosAssertion. The code throws the exception when I call
\par >>> HelloWorld in the example below. The PolicyChoiceAssertion is the same
\par >>> as
\par >>> the one from the example.
\par >>>
\par >>> Exception:
\par >>> \{"WSE2005: Protection requirements in KerberosAssertion are not
\par >>> satisfied."\}
\par >>>
\par >>> It works fine when I run with the UserNameAssertion. My policy looks
\par >>> like
\par >>> this:
\par >>>
\par >>> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
\par >>>
\par >>> <extensions>
\par >>>
\par >>> <extension name="usernameOverTransportSecurity"
\par >>> type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
\par >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par >>> PublicKeyToken=31bf3856ad364e35" />
\par >>>
\par >>> <extension name="kerberosSecurity"
\par >>> type="Microsoft.Web.Services3.Design.KerberosAssertion,
\par >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par >>> PublicKeyToken=31bf3856ad364e35" />
\par >>>
\par >>> <extension name="requireActionHeader"
\par >>> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
\par >>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par >>> PublicKeyToken=31bf3856ad364e35" />
\par >>>
\par >>> <extension name="policyChoice"
\par >>> type="MindKey.License.Assertion.PolicyChoiceAssertion, Service Assertion
\par >>> Library"/>
\par >>>
\par >>> </extensions>
\par >>>
\par >>> <policy name="ServicePolicy">
\par >>>
\par >>> <policyChoice>
\par >>>
\par >>> <usernameOverTransportSecurity />
\par >>>
\par >>> <kerberosSecurity establishSecurityContext="false"
\par >>> renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
\par >>> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
\par >>> ttlInSeconds="300">
\par >>>
\par >>> <protection>
\par >>>
\par >>> <request signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >>> IncludeSoapBody" encryptBody="true" />
\par >>>
\par >>> <response signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >>> IncludeSoapBody" encryptBody="true" />
\par >>>
\par >>> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >>> IncludeSoapBody" encryptBody="false" />
\par >>>
\par >>> </protection>
\par >>>
\par >>> </kerberosSecurity>
\par >>>
\par >>> </policyChoice>
\par >>>
\par >>> <requireActionHeader />
\par >>>
\par >>> </policy>
\par >>>
\par >>> </policies>
\par >>>
\par >>> and the code calling using the KerberosAssertion looke like this:
\par >>> TestWS testWS = new TestWS();
\par >>>
\par >>> KerberosAssertion assertion = new KerberosAssertion();
\par >>>
\par >>> assertion.KerberosTokenProvider = new KerberosTokenProvider("host/" +
\par >>> System.Net.Dns.GetHostName(), ImpersonationLevel.Identification);
\par >>>
\par >>> Policy policy = new Policy();
\par >>>
\par >>> policy.Assertions.Add(assertion);
\par >>>
\par >>> testWS.SetPolicy(policy);
\par >>>
\par >>> MessageBox.Show(testWS.HelloWorld());
\par >>>
\par >>>
\par >>> I hope you can helpe me!
\par >>>
\par >>> Thanks Henrik.
\par >>>
\par >>> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par >>> news:dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
\par >>>> Hi Henrik,
\par >>>>
\par >>>> As for attaching different kind of Security Tokens in client request
\par >>>> and
\par >>>> let the serverside policy access and peform authenticate on all of them
\par >>>> (or
\par >>>> some of them...), that's certainly possible. However, currently the
\par >>>> buildin
\par >>>> WSE 3.0 PolicyAssertions (UsernameOverTransport, KerberosSecuirty...
\par >>>> .)
\par >>>> only target a single type of security token. So if you need to have
\par >>>> your
\par >>>> service utilize a policy which will authenticate multiple client
\par >>>> security
\par >>>> tokens (of different types), we should create our own PolicyAssertion
\par >>>> classes. For creating WSE 3.0 custom Policy Assertion, you can refer
\par >>>> to
\par >>>> the
\par >>>>
\par >>>> "Custom Policy Assertions "
\par >>>>
\par >>>> section in the WSE 3.0 Document. And the QuickStart samples also
\par >>>> including
\par >>>> Custom Policy example. Also, the important things is that we need to
\par >>>> deinfe
\par >>>> the proper InputFilters and OutputFilters for our custom
\par >>>> PolicyAssertion.
\par >>>> And for secuirty Policy Assertion, we should make our inputFilter and
\par >>>> outpuFilter derived from "ReceiveSecurityFilter" and
\par >>>> "SendSecurityFilter"
\par >>>> class.
\par >>>>
\par >>>> After we define the custom PolicyAssertion, we can use it
\par >>>> programmatically
\par >>>> in code or define in Policy file statically.
\par >>>>
\par >>>> Hope helps. Thanks,
\par >>>>
\par >>>> Steven Cheng
\par >>>> Microsoft Online Support
\par >>>>
\par >>>> Get Secure! www.microsoft.com/security
\par >>>> (This posting is provided "AS IS", with no warranties, and confers no
\par >>>> rights.)
\par >>>>
\par >>>>
\par >>>>
\par >>>> --------------------
\par >>>> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par >>>> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
\par >>>> Subject: Re: UserName and Kerberos tokens at the same time
\par >>>> Date: Thu, 24 Nov 2005 17:29:10 +0100
\par >>>> Lines: 19
\par >>>> X-Priority: 3
\par >>>> X-MSMail-Priority: Normal
\par >>>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par >>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par >>>> X-RFC2646: Format=Flowed; Response
\par >>>> Message-ID: <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
\par >>>> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par >>>> NNTP-Posting-Host: 80.63.142.94
\par >>>> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
\par >>>> Xref: TK2MSFTNGXA02.phx.gbl
\par >>>> microsoft.public.dotnet.framework.webservices.enhancements:7731
\par >>>> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >>>>
\par >>>> Extra comment:
\par >>>>
\par >>>> It should also be a policy.
\par >>>>
\par >>>> "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
\par >>>> news:uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxxxxx
\par >>>>> Hi,
\par >>>>>
\par >>>>> I would like to authorize the user using a Kerberos, a UserName or at
\par >>>>> custom token depending on what I receive from the user.
\par >>>>>
\par >>>>> Is that possible?
\par >>>>>
\par >>>>> Thanks
\par >>>>>
\par >>>>> Henrik
\par >>>>>
\par >>>>
\par >>>>
\par >>>>
\par >>>
\par >>>
\par >>>
\par >>
\par >>
\par >>
\par >
\par >
\par
\par
\par \pard
\par
\par }