Archives

Archives / 2005 / December
  • Still book writing....

    Its 12.30am, family is asleep, its now December 31st, the last day of the year, and I am still slogging away writing a chapter on our "Beginning AJAX Programming in ASP.NET book". I need to get this chapter in soon and my eyes feel like they are bleeding.

    Read more...

  • ASP.NET Podcast #31 - I do a talk on WSE3 (and Merry Xmas)

    Another podcast out the door! This is a pre-christmas show and may be (but depends on time) the last one for the year.

    In this show I talk about the Web Service Enhancements V3 (WSE3) and listout some tips and techniques that I have used to overcome some issues when using some of the turnkey policies in WSE3. You can choose to subscribe ( I hear rumours that subscribing to this podcast is so good, that it can also assist in growing back severed limbs...) or you can download direct.

    Dont forget to check out the ASP.NET Podcast site here ( http://aspnetpodcast.com ). Show notes for this show are below:

    - Many thanks to all our listeners
    - Merry Xmas
    - A very quick look at 2005
    - The ASP.NET AJAX book (yes....again)

    - Tech Talk on Web Service Enhancements 3 (WSE3)
    -- Security implementation guidance doc recently released
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wssp.asp
    -- Service Principal Instructions

    grab the SETSPN.EXE tool from the windows resource kit tools
    >> SETSPN {principalName} {accountName}
    >> setspn HOST/{machine} DOMAIN\account
    >> setspn HOST/{machine}.domain.com DOMAIN\account
    >> setspn HTTP/{machine} DOMAIN\account
    >> setspn HTTP/{machine}.domain.com DOMAIN\account

    eg.
    SETSPN HOST/mypc MYDOMAIN\fred
    SETSPN HOST/mypc.MyDomain.com MYDOMAIN\fred
    SETSPN HTTP/mypc MYDOMAIN\fred
    SETSPN HTTP/mypc.MyDomain.com MYDOMAIN\fred


    Client Code for WSE3
    - UsernameForCertificate

    MyWSE3ServiceProxy svc = new MyWSE3ServiceProxy();
    UsernameToken tok;
    // If the user token is sent in plain text, then the TokenManager will try and
    // authenticate against the ActiveDir/LocalMachine automatically.
    tok = new UsernameToken("username", "password", PasswordOption.SendPlainText);
    svc.SetClientCredential<UsernameToken>(tok);

    -Kerberos
    To set the target principal in code use:

    string targetPrincipalName = "HTTP/" + System.Net.Dns.GetHostEntry(System.Net.Dns.GetHostName()).HostName;
    KerberosToken kerbTok = new KerberosToken(targetPrincipalName);

    and via the wse3policycache.config file use:
        <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
      <token>
       <kerberos targetPrincipal="host/MYPC" impersonationLevel="Impersonation" />
      </token>
          <protection>
            <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
            <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
          </protection>
        </kerberosSecurity>

    Read more...

  • WSE3 and "Username over Certifficate" turnkey policy

    I have been doing a bit of work with Web Service Enhancements V3 and its various turnkey security policies lately. WSE3 offers simplified policy implementation via the use of these "turnkey policies". Basically, WSE2 supported (as best as it could given the incomplete standards currently) for WS-Policy. WSE3 takes a different approach and doesn't really offer WS-Policy support, however offers direct support for these turnkey scenario's which are just implementations of some of the more popular WS-Policy implementations. Kind of like pre-packaged WS-Policy solutions.

    Read more...