Re: UserName and Kerberos tokens at the same time

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Nenrik,
\par
\par So far I can't find any other effective means to throubleshoot the problem. Would you try the sample kerberos application on another machine (server and client on the same machine) and in a proper domain environment and test again? Anyway, I think we need to make the example work first ...
\par
\par Thanks,
\par
\par Steven Cheng
\par Microsoft Online Support
\par
\par Get Secure! www.microsoft.com/security
\par (This posting is provided "AS IS", with no warranties, and confers no rights.)
\par
\par
\par \pard\li720 --------------------
\par From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx> <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx> <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx> <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx> <t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxx> <Osge9Tr9FHA.4036@xxxxxxxxxxxxxxxxxxxx> <#WX2Nuz9FHA.2708@xxxxxxxxxxxxxxxxxxxx> <dGWW$H09FHA.1236@xxxxxxxxxxxxxxxxxxxxx> <OFxSGH19FHA.3312@xxxxxxxxxxxxxxxxxxxx> <F9K7keZ#FHA.1236@xxxxxxxxxxxxxxxxxxxxx>
\par Subject: Re: UserName and Kerberos tokens at the same time
\par Date: Tue, 6 Dec 2005 21:36:05 +0100
\par Lines: 568
\par X-Priority: 3
\par X-MSMail-Priority: Normal
\par X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par X-RFC2646: Format=Flowed; Original
\par Message-ID: <u0JfvSq#FHA.2520@xxxxxxxxxxxxxxxxxxxx>
\par Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par NNTP-Posting-Host: 80.63.142.94
\par Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
\par Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:7866
\par X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par
\par Yes the demo application is not working at my side as well and I am logged
\par in as a domain user. I have no problems accessing other network resources.
\par Actually another strange thing is that the usernametoken example is working
\par with no problems, I can verify against AD on the server side.
\par
\par Thanks Henrik
\par
\par "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par news:F9K7keZ%23FHA.1236@xxxxxxxxxxxxxxxxxxxxxxxx
\par > Thanks for your response Henrik,
\par >
\par > What makes me feeling a bit strange is that the WSE 3.0 Kerberos demo also
\par > not work on your side? The build-in example program will pass the
\par > clientside current logon user's security credential (as kerberos token) to
\par > serverside... Are you logon the computer as a domain user when running the
\par > client application?
\par >
\par > Thanks,
\par >
\par > Steven Cheng
\par > Microsoft Online Support
\par >
\par > Get Secure! www.microsoft.com/security
\par > (This posting is provided "AS IS", with no warranties, and confers no
\par > rights.)
\par >
\par > --------------------
\par > From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par > References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
\par > <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
\par > <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
\par > <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
\par > <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
\par > <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx>
\par > <t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxx>
\par > <Osge9Tr9FHA.4036@xxxxxxxxxxxxxxxxxxxx>
\par > <#WX2Nuz9FHA.2708@xxxxxxxxxxxxxxxxxxxx>
\par > <dGWW$H09FHA.1236@xxxxxxxxxxxxxxxxxxxxx>
\par > Subject: Re: UserName and Kerberos tokens at the same time
\par > Date: Fri, 2 Dec 2005 16:05:00 +0100
\par > Lines: 499
\par > X-Priority: 3
\par > X-MSMail-Priority: Normal
\par > X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par > X-RFC2646: Format=Flowed; Original
\par > Message-ID: <OFxSGH19FHA.3312@xxxxxxxxxxxxxxxxxxxx>
\par > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par > NNTP-Posting-Host: 80.63.142.94
\par > Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
\par > Xref: TK2MSFTNGXA02.phx.gbl
\par > microsoft.public.dotnet.framework.webservices.enhancements:7818
\par > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >
\par > Hi Steven,
\par >
\par > Thanks again.
\par >
\par > I think that you are right because I would expect the standard examples to
\par > work. I have tried it on a Windows 2003 server as well and there I get the
\par > same error.
\par >
\par > My client is a Windows application and I can se that the kerberos token is
\par > ok, so it is something on the server side. Maybe the IIS is validation
\par > agaings a wrong source or something like that.
\par >
\par > Do I have to do something special on the server side (IIS, Win3K) ?
\par >
\par > Thanks Henrik.
\par >
\par >
\par > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par > news:dGWW$H09FHA.1236@xxxxxxxxxxxxxxxxxxxxxxxx
\par >> Thanks for your respone and further info.
\par >>
\par >> I think the problem is likely due to the ASP.NET environment. Is your
\par >> client application(which call the webservice) is also an asp.net
\par >> application? The kerberos Security token will try establish the security
\par >> token through the current exection context's security credential which
\par >> must
\par >> be a domain user account that can be authenticated by KDC(normally just
\par >> the
\par >> DC). So for ASP.NET the process identity is probably not a proper
\par >> account.
\par >> I would suggest you tried the code in a winform client or console
\par >> application, the console app since in console or winform app, the current
\par >> security context is the logon user session(which is likely a domain user
\par >> ... ) ...
\par >>
\par >> Also, you can also check the following notes in wse documentation( if
\par >> your
\par >> webservice is on a machine other than win 2003 server):
\par >> ====================
\par >> Kerberos tokens work on computers with Windows Server 2003 or Windows XP
\par >> with Service Pack 1 installed. When Windows XP is used, the account
\par >> ASP.NET
\par >> runs under is ASPNET by default and must be granted the Act as part of
\par >> the
\par >> operating system privilege. By default, the ASPNET account does not have
\par >> this privilege. It is suggested that you run your Kerberos-secured Web
\par >> services on Windows Server 2003. On Windows Server 2003, the Act as part
\par >> of
\par >> the operating system privilege is not required. On Windows XP you can
\par >> configure the ASPNET account to have the Act as part of the operating
\par >> system privilege using the Local Security Policy management application,
\par >> but you should be aware that this affects all ASP.NET applications and
\par >> results in less security for ASP.NET applications. Windows 2000 is not a
\par >> supported operating system for this feature.
\par >>
\par >> ===================
\par >>
\par >> Thanks,
\par >>
\par >> Steven Cheng
\par >> Microsoft Online Support
\par >>
\par >> Get Secure! www.microsoft.com/security
\par >> (This posting is provided "AS IS", with no warranties, and confers no
\par >> rights.)
\par >>
\par >>
\par >>
\par >> --------------------
\par >> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par >> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
\par >> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
\par >> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
\par >> <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
\par >> <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
\par >> <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx>
\par >> <t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxx>
\par >> <Osge9Tr9FHA.4036@xxxxxxxxxxxxxxxxxxxx>
\par >> Subject: Re: UserName and Kerberos tokens at the same time
\par >> Date: Fri, 2 Dec 2005 13:25:57 +0100
\par >> Lines: 394
\par >> X-Priority: 3
\par >> X-MSMail-Priority: Normal
\par >> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par >> X-RFC2646: Format=Flowed; Response
\par >> Message-ID: <#WX2Nuz9FHA.2708@xxxxxxxxxxxxxxxxxxxx>
\par >> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par >> NNTP-Posting-Host: 80.63.142.94
\par >> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
\par >> Xref: TK2MSFTNGXA02.phx.gbl
\par >> microsoft.public.dotnet.framework.webservices.enhancements:7813
\par >> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >>
\par >> Extra info:
\par >>
\par >> If I run the example Kerberos solution I get some a detailed error
\par >> message:
\par >>
\par >> Microsoft.Web.Services3.Security.SecurityFault: An invalid security token
\par >> was provided ---> System.Security.SecurityException: WSE594:
\par >> AcceptSecurityContext call failed with the following error message: Logon
\par >> failure: unknown user name or bad password. . at
\par >>
\par > Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosServerContext.Accep
\par >> tContext(Byte[]
\par >> inToken) at
\par >>
\par >> Does that help you in any way?
\par >>
\par >> "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
\par >> news:Osge9Tr9FHA.4036@xxxxxxxxxxxxxxxxxxxxxxx
\par >>> Hi again Steven,
\par >>>
\par >>> Again, thank you very much for looking into this problem for me.
\par >>>
\par >>> I just tried to run my test project on a colleagues machine and he gets
\par >>> the same error. I guess that there is nothing special in our
\par >>> environment,
\par >>> we have a normal DC. I used to run kerberos authentication in wse for
\par >> NET
\par >>> 1.1 and there it worked fine.
\par >>>
\par >>> I have tried to run the two Quickstart examples:
\par >>> WSSecurityKerberosPolicyService and WSSecurityKerberosCodeService and
\par >>> there I get the following exception (inner exception of a soap
\par >>> exception)
\par >>>
\par >>> "Security requirements are not satisfied because the security header is
\par >>> not present in the incoming message.".
\par >>>
\par >>> But when I run my test project which is using a custom policy I get the
\par >>> following exception:
\par >>>
\par >>> WSE2005: Protection requirements in KerberosAssertion are not satisfied
\par >>>
\par >>> I guess that it basicly is the same problem I am having the the two
\par >>> solutions.
\par >>>
\par >>> I can see that the Kerberos is beeing generated and assigned to the
\par >>> proxy.
\par >>>
\par >>> I am BTW running the web service on the build in ASP . NET Development
\par >>> Server if that has anything to do with the problem? Has it something to
\par >> do
\par >>> with impersonation?
\par >>>
\par >>> Any ideas??
\par >>>
\par >>> Thanks Henrik.
\par >>>
\par >>>
\par >>> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par >>> news:t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxxxxx
\par >>>> Thanks for your followup Henrik,
\par >>>>
\par >>>> Then, it seems that the kerberos Token is not quite attached correctly
\par >>>> at
\par >>>> clientside... Have you ensure that the environment is qualified of
\par >>>> using
\par >>>> kerberos authentication, are you in a certain domain environment with a
\par >>>> KDC(or DC....) ?
\par >>>>
\par >>>> Regards,
\par >>>>
\par >>>> Steven Cheng
\par >>>> Microsoft Online Support
\par >>>>
\par >>>> Get Secure! www.microsoft.com/security
\par >>>> (This posting is provided "AS IS", with no warranties, and confers no
\par >>>> rights.)
\par >>>>
\par >>>> --------------------
\par >>>> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par >>>> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
\par >>>> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
\par >>>> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
\par >>>> <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
\par >>>> <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
\par >>>> Subject: Re: UserName and Kerberos tokens at the same time
\par >>>> Date: Tue, 29 Nov 2005 20:57:13 +0100
\par >>>> Lines: 285
\par >>>> X-Priority: 3
\par >>>> X-MSMail-Priority: Normal
\par >>>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par >>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par >>>> X-RFC2646: Format=Flowed; Original
\par >>>> Message-ID: <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx>
\par >>>> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par >>>> NNTP-Posting-Host: 80.63.142.94
\par >>>> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
\par >>>> Xref: TK2MSFTNGXA02.phx.gbl
\par >>>> microsoft.public.dotnet.framework.webservices.enhancements:7770
\par >>>> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >>>>
\par >>>> Hi Steven,
\par >>>>
\par >>>> Thank you for your reply.
\par >>>>
\par >>>> Yes I works well with the UsernameToken.
\par >>>>
\par >>>> I get the same exception without the choiceAssertion. I have changed
\par >>>> the
\par >>>> policy to this:
\par >>>> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
\par >>>>
\par >>>> <extensions>
\par >>>>
\par >>>> <extension name="kerberosSecurity"
\par >>>> type="Microsoft.Web.Services3.Design.KerberosAssertion,
\par >>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par >>>> PublicKeyToken=31bf3856ad364e35" />
\par >>>>
\par >>>> <extension name="requireActionHeader"
\par >>>> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
\par >>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par >>>> PublicKeyToken=31bf3856ad364e35" />
\par >>>>
\par >>>> </extensions>
\par >>>>
\par >>>> <policy name="ServicePolicy">
\par >>>>
\par >>>> <kerberosSecurity establishSecurityContext="false"
\par >>>> renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
\par >>>> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
\par >>>> ttlInSeconds="300">
\par >>>>
\par >>>> <protection>
\par >>>>
\par >>>> <request signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >>>> IncludeSoapBody" encryptBody="true" />
\par >>>>
\par >>>> <response signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >>>> IncludeSoapBody" encryptBody="true" />
\par >>>>
\par >>>> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >>>> IncludeSoapBody" encryptBody="false" />
\par >>>>
\par >>>> </protection>
\par >>>>
\par >>>> </kerberosSecurity>
\par >>>>
\par >>>> <requireActionHeader />
\par >>>>
\par >>>> </policy>
\par >>>>
\par >>>> </policies>
\par >>>>
\par >>>> Do I need some signing or encryption? I guess that I don't need it
\par >>>> because
\par >>>> I
\par >>>> am running over SSL, but maybe the KerberosAssertion requires it?
\par >>>>
\par >>>> Regards
\par >>>>
\par >>>> Henrik.
\par >>>>
\par >>>> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par >>>> news:7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxxxxx
\par >>>>> Hi Henrik,
\par >>>>>
\par >>>>> From the error message, request message's security header dosn't meet
\par >>>>> the
\par >>>>> server policy assertion's requirement. Also this occurs when you using
\par >>>>> the
\par >>>>> Kerberos token at clientside, but works well when you using
\par >>>>> UsernameToken,
\par >>>>> yes? Have you ever tried only using Kerberos token from clientside
\par >>>>> (without using choiceAssertion) to see whether you can get kerberos
\par >>>>> token
\par >>>>> work correctly?
\par >>>>>
\par >>>>> Thanks,
\par >>>>>
\par >>>>> Steven Cheng
\par >>>>> Microsoft Online Support
\par >>>>>
\par >>>>> Get Secure! www.microsoft.com/security
\par >>>>> (This posting is provided "AS IS", with no warranties, and confers no
\par >>>>> rights.)
\par >>>>>
\par >>>>>
\par >>>>> --------------------
\par >>>>> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par >>>>> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
\par >>>>> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
\par >>>>> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
\par >>>>> Subject: Re: UserName and Kerberos tokens at the same time
\par >>>>> Date: Mon, 28 Nov 2005 21:10:22 +0100
\par >>>>> Lines: 176
\par >>>>> X-Priority: 3
\par >>>>> X-MSMail-Priority: Normal
\par >>>>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par >>>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par >>>>> X-RFC2646: Format=Flowed; Original
\par >>>>> Message-ID: <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
\par >>>>> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par >>>>> NNTP-Posting-Host: 80.63.142.94
\par >>>>> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
\par >>>>> Xref: TK2MSFTNGXA02.phx.gbl
\par >>>>> microsoft.public.dotnet.framework.webservices.enhancements:7756
\par >>>>> X-Tomcat-NG:
\par >>>>> microsoft.public.dotnet.framework.webservices.enhancements
\par >>>>>
\par >>>>> Hi Steven,
\par >>>>>
\par >>>>> Again thank you very much for your reply. I tried to implement the
\par >>>>> PolicyChoiceAssertion from the example but now I get an exception when
\par >>>>> I
\par >>>>> run
\par >>>>> with the KerberosAssertion. The code throws the exception when I call
\par >>>>> HelloWorld in the example below. The PolicyChoiceAssertion is the same
\par >>>>> as
\par >>>>> the one from the example.
\par >>>>>
\par >>>>> Exception:
\par >>>>> \{"WSE2005: Protection requirements in KerberosAssertion are not
\par >>>>> satisfied."\}
\par >>>>>
\par >>>>> It works fine when I run with the UserNameAssertion. My policy looks
\par >>>>> like
\par >>>>> this:
\par >>>>>
\par >>>>> <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
\par >>>>>
\par >>>>> <extensions>
\par >>>>>
\par >>>>> <extension name="usernameOverTransportSecurity"
\par >>>>> type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
\par >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par >>>>> PublicKeyToken=31bf3856ad364e35" />
\par >>>>>
\par >>>>> <extension name="kerberosSecurity"
\par >>>>> type="Microsoft.Web.Services3.Design.KerberosAssertion,
\par >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par >>>>> PublicKeyToken=31bf3856ad364e35" />
\par >>>>>
\par >>>>> <extension name="requireActionHeader"
\par >>>>> type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
\par >>>>> Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
\par >>>>> PublicKeyToken=31bf3856ad364e35" />
\par >>>>>
\par >>>>> <extension name="policyChoice"
\par >>>>> type="MindKey.License.Assertion.PolicyChoiceAssertion, Service
\par >>>>> Assertion
\par >>>>> Library"/>
\par >>>>>
\par >>>>> </extensions>
\par >>>>>
\par >>>>> <policy name="ServicePolicy">
\par >>>>>
\par >>>>> <policyChoice>
\par >>>>>
\par >>>>> <usernameOverTransportSecurity />
\par >>>>>
\par >>>>> <kerberosSecurity establishSecurityContext="false"
\par >>>>> renewExpiredSecurityContext="true"
\par >>>>> requireSignatureConfirmation="false"
\par >>>>> messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
\par >>>>> ttlInSeconds="300">
\par >>>>>
\par >>>>> <protection>
\par >>>>>
\par >>>>> <request signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >>>>> IncludeSoapBody" encryptBody="true" />
\par >>>>>
\par >>>>> <response signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >>>>> IncludeSoapBody" encryptBody="true" />
\par >>>>>
\par >>>>> <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
\par >>>>> IncludeSoapBody" encryptBody="false" />
\par >>>>>
\par >>>>> </protection>
\par >>>>>
\par >>>>> </kerberosSecurity>
\par >>>>>
\par >>>>> </policyChoice>
\par >>>>>
\par >>>>> <requireActionHeader />
\par >>>>>
\par >>>>> </policy>
\par >>>>>
\par >>>>> </policies>
\par >>>>>
\par >>>>> and the code calling using the KerberosAssertion looke like this:
\par >>>>> TestWS testWS = new TestWS();
\par >>>>>
\par >>>>> KerberosAssertion assertion = new KerberosAssertion();
\par >>>>>
\par >>>>> assertion.KerberosTokenProvider = new KerberosTokenProvider("host/" +
\par >>>>> System.Net.Dns.GetHostName(), ImpersonationLevel.Identification);
\par >>>>>
\par >>>>> Policy policy = new Policy();
\par >>>>>
\par >>>>> policy.Assertions.Add(assertion);
\par >>>>>
\par >>>>> testWS.SetPolicy(policy);
\par >>>>>
\par >>>>> MessageBox.Show(testWS.HelloWorld());
\par >>>>>
\par >>>>>
\par >>>>> I hope you can helpe me!
\par >>>>>
\par >>>>> Thanks Henrik.
\par >>>>>
\par >>>>> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par >>>>> news:dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
\par >>>>>> Hi Henrik,
\par >>>>>>
\par >>>>>> As for attaching different kind of Security Tokens in client request
\par >>>>>> and
\par >>>>>> let the serverside policy access and peform authenticate on all of
\par >>>>>> them
\par >>>>>> (or
\par >>>>>> some of them...), that's certainly possible. However, currently the
\par >>>>>> buildin
\par >>>>>> WSE 3.0 PolicyAssertions (UsernameOverTransport,
\par >>>>>> KerberosSecuirty...
\par >>>>>> .)
\par >>>>>> only target a single type of security token. So if you need to have
\par >>>>>> your
\par >>>>>> service utilize a policy which will authenticate multiple client
\par >>>>>> security
\par >>>>>> tokens (of different types), we should create our own PolicyAssertion
\par >>>>>> classes. For creating WSE 3.0 custom Policy Assertion, you can refer
\par >>>>>> to
\par >>>>>> the
\par >>>>>>
\par >>>>>> "Custom Policy Assertions "
\par >>>>>>
\par >>>>>> section in the WSE 3.0 Document. And the QuickStart samples also
\par >>>>>> including
\par >>>>>> Custom Policy example. Also, the important things is that we need to
\par >>>>>> deinfe
\par >>>>>> the proper InputFilters and OutputFilters for our custom
\par >>>>>> PolicyAssertion.
\par >>>>>> And for secuirty Policy Assertion, we should make our inputFilter and
\par >>>>>> outpuFilter derived from "ReceiveSecurityFilter" and
\par >>>>>> "SendSecurityFilter"
\par >>>>>> class.
\par >>>>>>
\par >>>>>> After we define the custom PolicyAssertion, we can use it
\par >>>>>> programmatically
\par >>>>>> in code or define in Policy file statically.
\par >>>>>>
\par >>>>>> Hope helps. Thanks,
\par >>>>>>
\par >>>>>> Steven Cheng
\par >>>>>> Microsoft Online Support
\par >>>>>>
\par >>>>>> Get Secure! www.microsoft.com/security
\par >>>>>> (This posting is provided "AS IS", with no warranties, and confers no
\par >>>>>> rights.)
\par >>>>>>
\par >>>>>>
\par >>>>>>
\par >>>>>> --------------------
\par >>>>>> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
\par >>>>>> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
\par >>>>>> Subject: Re: UserName and Kerberos tokens at the same time
\par >>>>>> Date: Thu, 24 Nov 2005 17:29:10 +0100
\par >>>>>> Lines: 19
\par >>>>>> X-Priority: 3
\par >>>>>> X-MSMail-Priority: Normal
\par >>>>>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par >>>>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par >>>>>> X-RFC2646: Format=Flowed; Response
\par >>>>>> Message-ID: <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
\par >>>>>> Newsgroups:
\par >>>>>> microsoft.public.dotnet.framework.webservices.enhancements
\par >>>>>> NNTP-Posting-Host: 80.63.142.94
\par >>>>>> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
\par >>>>>> Xref: TK2MSFTNGXA02.phx.gbl
\par >>>>>> microsoft.public.dotnet.framework.webservices.enhancements:7731
\par >>>>>> X-Tomcat-NG:
\par >>>>>> microsoft.public.dotnet.framework.webservices.enhancements
\par >>>>>>
\par >>>>>> Extra comment:
\par >>>>>>
\par >>>>>> It should also be a policy.
\par >>>>>>
\par >>>>>> "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
\par >>>>>> news:uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxxxxx
\par >>>>>>> Hi,
\par >>>>>>>
\par >>>>>>> I would like to authorize the user using a Kerberos, a UserName or
\par >>>>>>> at
\par >>>>>>> custom token depending on what I receive from the user.
\par >>>>>>>
\par >>>>>>> Is that possible?
\par >>>>>>>
\par >>>>>>> Thanks
\par >>>>>>>
\par >>>>>>> Henrik
\par >>>>>>>
\par >>>>>>
\par >>>>>>
\par >>>>>>
\par >>>>>
\par >>>>>
\par >>>>>
\par >>>>
\par >>>>
\par >>>>
\par >>>
\par >>>
\par >>
\par >>
\par >>
\par >
\par >
\par >
\par
\par
\par \pard
\par
\par }