September 2005 - Posts

As I mentioned in a previous post, I had a lot of problems last week trying to bind an ADAM principal to Azman.
I found a way to do that using the Azman PIA but unfortunately it is not supported by the Azman Role provider shipped within ASP.NET 2.0.
There are two available versions of Azman PIA, 1.0 and 1.2. The latest version was released within the W2k3 SP 1 and contains some improvements compared with the version 1.0.
The only way I found to bind an ADAM principal to Azman was through the user’s SID

//ADAM Provider was configured in the Web.Config file
MembershipUser user = Membership.GetUser("myuser@MyDomain.com");

AzAuthorizationStoreClass store = new AzAuthorizationStoreClass();

store.Initialize(0, "msldap://localhost:389/CN=AzManADAMStore,CN=Users,DC=MyDomain,DC=Com", null);

IAzApplication2 azApp = store.OpenApplication2("MyApp", null);

//We need to use the SID instead of the user name, so the ProviderUserKey is used.
IAzClientContext context = azApp.InitializeClientContextFromStringSid(user.ProviderUserKey.ToString(), 1, null);

object roles = context.GetRoles("");

Some notes about this code:

1. The ADAM membership provider was configured in the application.
2. The code is using the AzMan PIA directly.
3. The method InitializeClientContextFromStringSid must be used instead of InitializeClientContextFromName. The last method only works for Windows principals and it is the one used by the AuthorizationRoleProvider class in ASP.NET. That's why it only works for windows principals.
4. A SID is required instead of a user-friendly name (We can get the SID from the ProviderUserKey property).

As far I know the only possible solution is to develop a custom Role Provider, which is not a good one because a SID is required instead of a friendly-name.

Posted by cibrax | 1 comment(s)
Filed under:

Configuring both products to work together can be a nightmare.
I've spent almost three days trying to configure Azman and ADAM membership providers in a normal ASP.NET application, but I couldn't.
I wanted to use ADAM as user/group repository and Azman as authorization repository (to have fine grained access control and manage roles).
This article from MSDN has helped me a lot to configure both products, but it's a little tricky. It shows how to use ADAM as a repository for the Azman schema, but not as authentication server. Instead it uses a windows user to get the azman roles.

Has anybody configured both products?. I would appreciate any help or comments on this.

Posted by cibrax | 1 comment(s)
Filed under:

WSE 2.0 and 3.0, both provide AES128 + RSA 1.5 as default algorithms for symmetric encryption and key-wrap.
However, AES256 + RSA-OAEP are always recommended for these purposes, and Indigo will ship with that combination as default.

In WSE 2.0, these algorithms could be changed adding some settings in the configuration file:

<microsoft.web.services2>
...
  <security>
  ....
    <binarySecurityTokenManager
      valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
      <sessionKeyAlgorithm name="TripleDES"/>   <!-- add this to switch to TripleDes from default AES128 -->
      <keyAlgorithm name="RSAOAEP"/>  <!-- add this to switch to RSA-OEAP from default RSA15 -->
    </binarySecurityTokenManager>
  </securityç>
...
<microsoft.web.services2>

These settings don't affect in the same way to WSE 3.0 because it implements some changes in the code used to secure messages. The security assertions
shipped within WSE 3.0 use different tokens to secure messages, they don't use an X509 security token anymore, instead they use derived tokens.

  • EncryptedToken: Usually, this token is used by the security assertions to sign and encrypt messages.
  • DerivedKeyToken: Only used when the flag "DeriveKeys" is on.
  • SecureContextToken: Only used in secure conversations. (When the flag "establishSecurityContext" is on)

    The following configuration shows how to override the default algorithm used by these tokens:

    <microsoft.web.services3>
      <security>
    <binarySecurityTokenManager>
      <add
        type="Microsoft.Web.Services3.Security.Tokens.X509SecurityTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
       valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
        <keyAlgorithm name="RSAOAEP"/>
      </add>
    </binarySecurityTokenManager>
    <securityTokenManager>
      <add localName="EncryptedKey"
       type="Microsoft.Web.Services3.Security.Tokens.EncryptedKeyTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
        namespace="http://www.w3.org/2001/04/xmlenc#">
        <keyAlgorithm name="AES256"/>
      </add>
      <add localName="DerivedKeyToken">
        type="Microsoft.Web.Services3.Security.Tokens.DerivedKeyTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
        namespace="http://schemas.xmlsoap.org/ws/2005/02/sc">
        <keyAlgorithm name="AES256"/>
      </add>
      <add localName="SecurityContextToken"
        type="Microsoft.Web.Services3.Security.Tokens.SecurityContextTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
        namespace="http://schemas.xmlsoap.org/ws/2005/02/sc">
        <keyAlgorithm name="AES256"/>
      </add>
    </securityTokenManager>
    </security>
    </microsoft.web.services3>

     

  • Posted by cibrax | 1 comment(s)
    Filed under:
    More Posts