Re: hashed password and UsernameTokenManager

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Phil,
\par
\par I agree with Pablo, the "AuthenticateToken" method of the custom UsernameTokenManager require us to return the correct CLEAR TEXT password... (so that the runtime will use it for sequential decrypting or sigining....) So in other words, this is usually used when the account database is a custom storage ( a relational database table....) or in xml file.... And it's not usable for windows security authority since no clear text password is available...
\par
\par Please feel free to post here if there're anything else unclear.
\par
\par Regards,
\par
\par Steven Cheng
\par Microsoft Online Support
\par
\par Get Secure! www.microsoft.com/security
\par (This posting is provided "AS IS", with no warranties, and confers no rights.)
\par \pard\li720 --------------------
\par From: "Pablo Cibraro" <pcibraro@xxxxxxxxxxx>
\par References: <Or4PeYGEGHA.1508@xxxxxxxxxxxxxxxxxxxx>
\par Subject: Re: hashed password and UsernameTokenManager
\par Date: Tue, 3 Jan 2006 17:02:40 -0300
\par Lines: 44
\par X-Priority: 3
\par X-MSMail-Priority: Normal
\par X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par X-RFC2646: Format=Flowed; Response
\par Message-ID: <O$CZhCKEGHA.1028@xxxxxxxxxxxxxxxxxxxx>
\par Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par NNTP-Posting-Host: 200.123.99.98
\par Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
\par Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:8027
\par X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par
\par Hi Phil,
\par You have to return the original password. You will have to get it from
\par somewhere, e.g. a database.
\par WSE computes a hash with the password that you returns and then compares
\par that hash with the Usernametoken's hash.
\par
\par Regards,
\par Pablo Cibraro
\par http://weblogs.asp.net/cibrax
\par http://www.lagash.com
\par
\par "Phil Lee" <phil.lee@xxxxxxxxxxxxxxxxx> wrote in message
\par news:Or4PeYGEGHA.1508@xxxxxxxxxxxxxxxxxxxxxxx
\par > Hi,
\par >
\par > I'm using WSE3 username/password over certificate - I can implement my own
\par > (test) UsernameTokenManager like this:
\par >
\par > public class MyUsernameTokenManager : UsernameTokenManager
\par > \{
\par > ...
\par >
\par > protected override string AuthenticateToken( UsernameToken token,
\par > string authenticatedPassword )
\par > \{
\par > // for clear text passwords
\par > return token.Password; // This is just for test purposes
\par >
\par >
\par > \}
\par > \}
\par >
\par > This works fine.
\par >
\par > If however I want to send hashed passwords using
\par > PasswordOption.SendHashed, what do I need to return from
\par > AuthenticateToken?
\par > Returning token.PasswordDigest.ToString() doesn't work.
\par >
\par > Regards
\par > Phil Lee
\par >
\par
\par
\par \pard
\par
\par }