Re: UsernameTokenManager.AuthenticateUser

Hi Phil,
That happens because you are using secure session.
When you enable this feature, WSE only authenticates the client the first
time and then it creates a SecureContextToken that contains in some way the
UsernameToken.
This feature improves the performance for successive calls since the
authentication and the key interchange is done once.
You have two ways to clear the cache but you shouldn't be worried about it:

1. Create a new instance of the proxy class and assign the UsernameToken as
client token. The SecureContextToken is only valid per proxy class.
2. Cancel the SecureContextToken:

SecureConversationCorrelationState correlationState =
serviceProxy.ResponseSoapContext.SessionState.Get<SecureConversationCorrelationState>("");
SecurityContextToken sct = correlationState.Token as SecurityContextToken;

sct.Cancel();

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax
http://www.lagash.com

"Phil Lee" <phil.lee@xxxxxxxxxxxxxxxxx> wrote in message
news:OKW6p$TFGHA.3384@xxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> when I implement UsernameTokerManager.AuthenticateUser it never seems to
> be called again after successfully authenticating a client.
>
> I'm currently using username over certificate with secure session. I can
> see that there's a 'ttlInSeconds=300' in the policy cache but changing
> this to a small value has no effect.
> Also calling SetClientCredential from the client with a new UsernameToken
> (different username/password) doesn't cause a re-authentication. Even
> creating a new proxy in the client doesn't seem to cause a
> re-authentication. Only restarting the client app causes a new
> authentication.
>
> I assume this is by design and that the authentication is being cached.
> Is there a way to clear the cache? And should I be worried anyway?
>
> Regards
> Phil Lee
>


.

Relevant Pages

  • Re: WSE 3.0 + UserNameToken without X.509 Cert/Kerberos + Signing + Encryption How?
    ... If you want to support Secure Conversation in your custom assertion, ... your assertion will automatically support Secure ... username token only, so you will have to develop a custom assertion in ... that because the number of client computers is unknown and could easily ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: clients editing information w/o authentication--advice needed
    ... I completely concur that username/password authentication is the way to go. ... SSL, while the most secure, is not essential since there's no confidential ... I will "push back" with the client and tell them they'd be better off ...
    (comp.lang.php)
  • Re: UsernameTokenManager.AuthenticateUser
    ... > Hi Phil, ... > authentication and the key interchange is done once. ... > as client token. ... >> I'm currently using username over certificate with secure session. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Smartcard authentication in a multi-tier application
    ... side where the user enters the username and password and on the server ... implementation as we need the domain username and password of the PIN- ... since SC authentication on the Windows client results in a Kerberos ... bootstrapped a secure authentication mechanism using Kerb and PKInit ...
    (microsoft.public.platformsdk.security)
  • Re: Wireless Pen Test
    ... The authentication for getting the ... access to the Wireless Network is through RADIUS, ... Also if your telling a client that using WPApsk is secure then you are ...
    (Pen-Test)