tags:

views:

525

answers:

1
+1  Q: 

Configure WCF Client to Use Web Services Security Kerberos Token Profile 1.1

Morning,

Does anyone know how to configure WCF (any binding type, we are currently using WSHttpBinding but am happy to move to a CustomBinding or alternative if necessary) to use

Web Services Security Kerberos Token Profile 1.1

the details of which can be found here:

http://www.oasis-open.org/committees/download.php/16788/wss-v1.1-spec-os-KerberosTokenProfile.pdf

In particular I would like to know how to include the Security BinarySecurityToken and the SecurityTokenReference sections in the SOAP header. Example (taken from the above document)below:

<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="...">
  <S11:Header>
    <wsse:Security>
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss225 kerberos-token-profile-1.1#Kerberosv5_AP_REQ" wsu:Id="MyToken">
        boIBxDCCAcCgAwIBBaEDAgEOogcD...
      </wsse:BinarySecurityToken>
      ...
      <wsse:SecurityTokenReference>
        <wsse:Reference URI="#MyToken" ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token232 profile-1.1#Kerberosv5_AP_REQ" >
        </wsse:Reference>
      </wsse:SecurityTokenReference>
      ...
    </wsse:Security>
  </S11:Header>
  <S11:Body>
  ...
  </S11:Body>
</S11:Envelope>

Thanks in advance, Paul.

+1  A: 

Straight from the MSDN documentation:

<wsHttpBinding>
    <binding name="MyBinding">
        <security mode="Message>
            <message   
                clientCredentialType="Windows"
                negotiateServiceCredential="false"
                establishSecurityContext="false"/>
        </security>
    </binding>
</wsHttpBinding>
Drew Marsh  2009-10-27 22:28:16
That doesnt seem to work. We end up with a RequestSecurityToken in the SOAP body. Its structure doesnt look like the specification.
Paul  2009-10-27 23:10:44
And you're using that binding configuration verbatim and nothing else?
Drew Marsh  2009-10-27 23:14:02
No. We are using https, so the mode we have set to TransportWithMessageCredential. We have some timeouts set and some readerQuotas but nothing that I would expect would interfere with the inclusion of the Kerberos token.
Paul  2009-10-28 00:17:31
In all honesty I've never used kerberos tokens, only SAML tokens. Check out this MSDN documentation on how negotiateServiceCredential impacts the use of the Kerberos token profile: http://msdn.microsoft.com/en-us/library/system.servicemodel.messagesecurityoverhttp.negotiateservicecredential.aspx
Drew Marsh  2009-10-28 01:36:11

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security