ASP.NET Podcast Show #31 - Paul on WSE3

ASPNETPodcast.com site.

Subscribe - The Wally Way to do things.  Cool.  Hip.  Get iTunes or iPodder.

Download – The Not-Wally Way to do things.  Uncool.  Boring.Show Notes

- Many thanks to all our listeners
- Merry Xmas
- A very quick look at 2005
- The ASP.NET AJAX book (yes....again)

- Tech Talk on Web Service Enhancements 3 (WSE3)
-- Security implementation guidance doc recently released http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wssp.asp
-- Service Principal Instructions

grab the SETSPN.EXE tool from the windows resource kit tools
>> SETSPN {principalName} {accountName}
>> setspn HOST/{machine} DOMAIN\account
>> setspn HOST/{machine}.domain.com DOMAIN\account
>> setspn HTTP/{machine} DOMAIN\account
>> setspn HTTP/{machine}.domain.com DOMAIN\account

eg.
SETSPN HOST/mypc MYDOMAIN\fred
SETSPN HOST/mypc.MyDomain.com MYDOMAIN\fred
SETSPN HTTP/mypc MYDOMAIN\fred
SETSPN HTTP/mypc.MyDomain.com MYDOMAIN\fred


Client Code for WSE3
- UsernameForCertificate

MyWSE3ServiceProxy svc = new MyWSE3ServiceProxy();
UsernameToken tok;
// If the user token is sent in plain text, then the TokenManager will try and
// authenticate against the ActiveDir/LocalMachine automatically.
tok = new UsernameToken("username", "password", PasswordOption.SendPlainText);
svc.SetClientCredential<UsernameToken>(tok);

-Kerberos
To set the target principal in code use:

string targetPrincipalName = "HTTP/" + System.Net.Dns.GetHostEntry(System.Net.Dns.GetHostName()).HostName;
KerberosToken kerbTok = new KerberosToken(targetPrincipalName);

and via the wse3policycache.config file use:
    <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
  <token>
   <kerberos targetPrincipal="host/MYPC" impersonationLevel="Impersonation" />
  </token>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </kerberosSecurity>

No Comments