Re: WSE 3.0, SoapReceiver and Kerberos encryption

Hi Brian,

The answer is yes, you can use Kerberos security.
This article on the MSDN describes very well how to configure Kerberos for a
web service (It also describes what a SPN is and how to configure it).

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch7_KerbTechSupp.asp

Let me know if you continue having problems after reading that article.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

"Brian Lenway" <ReplyToGroup@xxxxxxxxxxxxxx> wrote in message
news:%23KRv2o0XGHA.752@xxxxxxxxxxxxxxxxxxxxxxx
I have written a web service which I am hosting in a Windows service using
a SoapReceiver. I have this working and can call the web service from a
client. The client is running as a domain user and the service is running
as a different user on the same domain. Both the client and service are
.NET 2.0 assemblies and are using WSE 3.0. Currently the client and the
service are both running on the same Window XP machine. The 2 are
communicating over TCP port 3844 (the port number was picked arbitrarily).

Now I am trying to add Kerberos encryption to the messages. I have added
policies to both the client and the service that signs and encrypts the
messages. I have also added the references to the policies from both the
client and the service (the wse3policycache.config files are at the end of
this post). Now when I attempt to call the web service I get an error.
The error in the web service's input trace file is: "Exception thrown: An
invalid security token was provided". The web service's output trace file
has the error: "WSE594: AcceptSecurityContext call failed with the
following error message: Logon failure: unknown user name or bad
password."

This MSDN page
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse/html/486588ab-b08d-4374-9390-3985c1df08e5.asp)
seems to indicate that I need to use SetSpn.exe to create a service
principal name. I guess I also have to use a different format for
"targetPrincipal" than HOST/MachineName. What I don't understand is what
format I should be using.

I'm hoping that somebody can tell me that yes, you can add Kerberos
encryption to the messages when using a SoapReceiver. I am also hoping
somebody can give a clue as to how to do that. Hopefully I have provided
adequate information. I am more than happy to provide more info, but I
figured any more info at this point may muddy things up (and nobody will
want to read it).

Thanks.
Brian Lenway
----------------------------
On the client I have this for the policy file:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="kerberosSecurity"
type="Microsoft.Web.Services3.Design.KerberosAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="kerberos"
type="Microsoft.Web.Services3.Design.KerberosTokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="mutualCertificate11Security"
type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="EncryptedMessage">
<kerberosSecurity establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false"
ttlInSeconds="300">
<token>
<kerberos targetPrincipal="HOST/ServiceMachineName"
impersonationLevel="Impersonation" />
</token>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</kerberosSecurity>
<requireActionHeader />
</policy>
</policies>

----------------------------
For the service I have:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="authorization"
type="Microsoft.Web.Services3.Design.AuthorizationAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="kerberosSecurity"
type="Microsoft.Web.Services3.Design.KerberosAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="mutualCertificate11Security"
type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="EncryptedMessage">
<authorization>
<allow role="DOMAIN\Users" />
<deny user="*" />
</authorization>
<kerberosSecurity establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</kerberosSecurity>
<requireActionHeader />
</policy>
</policies>




.

Relevant Pages

  • Re: Webservice To Add User Accounts
    ... Also make sure that your first hop from the client to the web service is ... is authenticated using kerberos or NTLM. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: WSE 3.0, SoapReceiver and Kerberos encryption
    ... I have a machine we'll call 'Service' which exposes a web service called ... I have defined a WSE 3.0 policy that sets up Kerberos Security. ... I have a machine we'll call 'Client'. ... <response signatureOptions="IncludeAddressing, IncludeTimestamp, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • WSE 3.0, SoapReceiver and Kerberos encryption
    ... I have written a web service which I am hosting in a Windows service using a ... The client is running as a domain user and the service is running ... The web service's output trace file ... <response signatureOptions="IncludeAddressing, IncludeTimestamp, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Performance issues With Impersonation and Delegation
    ... Are you actually seeing any Kerberos traffic with the ... I wrote a command line utility that calls a web service ... By multi-threading the client I ... makes the web server query the DC for every call. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: WSE 2 and impersonation
    ... If WSE 2.0 is installed on Windows ServerT 2003 or Windows® XP with Service ... Kerberos has the benefit of being an open security standard, ... thus promoting interoperability between WSE-enabled Web service applications ... won't work for messages sent from server to client as the client has no way ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
Loading