Follow me on Twitter at Twitter.com/wbm
FYI, I'm blogging most of my stuff over at More Wally now.
You might want to add my rss feed to your reader at:http://morewally.com/cs/blogs/wallym/rss.aspx
ASP.NET Podcast Show #31 - Paul on WSE3 - Wallace B. McClure

Wallace B. McClure

All About Wally McClure - The musings of Wallym on Web, HTML5, Mobile, MonoTouch for iPhone, MonoDroid for Android, and Windows Azure.

News

Personal Blog

Work Blog

.NET

Book Authors

Business

Family

Friends

Georgia Tech Bloggers

Personal

Archives

ASP.NET Podcast Show #31 - Paul on WSE3

ASPNETPodcast.com site.

Subscribe - The Wally Way to do things.  Cool.  Hip.  Get iTunes or iPodder.

Download – The Not-Wally Way to do things.  Uncool.  Boring.Show Notes

- Many thanks to all our listeners
- Merry Xmas
- A very quick look at 2005
- The ASP.NET AJAX book (yes....again)

- Tech Talk on Web Service Enhancements 3 (WSE3)
-- Security implementation guidance doc recently released http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wssp.asp
-- Service Principal Instructions

grab the SETSPN.EXE tool from the windows resource kit tools
>> SETSPN {principalName} {accountName}
>> setspn HOST/{machine} DOMAIN\account
>> setspn HOST/{machine}.domain.com DOMAIN\account
>> setspn HTTP/{machine} DOMAIN\account
>> setspn HTTP/{machine}.domain.com DOMAIN\account

eg.
SETSPN HOST/mypc MYDOMAIN\fred
SETSPN HOST/mypc.MyDomain.com MYDOMAIN\fred
SETSPN HTTP/mypc MYDOMAIN\fred
SETSPN HTTP/mypc.MyDomain.com MYDOMAIN\fred


Client Code for WSE3
- UsernameForCertificate

MyWSE3ServiceProxy svc = new MyWSE3ServiceProxy();
UsernameToken tok;
// If the user token is sent in plain text, then the TokenManager will try and
// authenticate against the ActiveDir/LocalMachine automatically.
tok = new UsernameToken("username", "password", PasswordOption.SendPlainText);
svc.SetClientCredential<UsernameToken>(tok);

-Kerberos
To set the target principal in code use:

string targetPrincipalName = "HTTP/" + System.Net.Dns.GetHostEntry(System.Net.Dns.GetHostName()).HostName;
KerberosToken kerbTok = new KerberosToken(targetPrincipalName);

and via the wse3policycache.config file use:
    <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
  <token>
   <kerberos targetPrincipal="host/MYPC" impersonationLevel="Impersonation" />
  </token>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </kerberosSecurity>

Posted: Dec 23 2005, 10:11 PM by Wallym | with 1 comment(s)
Filed under:

Comments

a-joprue said:

Why register both HTTP and HOST?  I'm confused over which one needs to be used for domain AppPool service accounts.  Looks like your suggestion is just to register both.

-Joey

# February 8, 2007 4:41 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)