ASP.NET Podcast

ASP.NET Podcast is geared towards the Microsoft .NET Framework and ASP.NET.
The podcast is run by Wally and Paul.
Welcome to ASP.NET Podcast Sign in | Join | Help
in Search
Home Blogs Photos Downloads

ASP.NET Podcast

The ASP.NET Podcast features, technical talks, interviews, news, reviews, and Wallyisms. Wallace B. (Wally) McClure and Paul Glavich are your hosts.

ASP.NET Podcast Show #31 - Paul talks on WSE3

Subscribe - The Wally Way to do things.  Cool.  Hip.  Get iTunes or iPodder.

This show is available in the subscription feed.

Show Notes

- Many thanks to all our listeners
- Merry Xmas
- A very quick look at 2005
- The ASP.NET AJAX book (yes....again)

- Tech Talk on Web Service Enhancements 3 (WSE3)
-- Security implementation guidance doc recently released http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wssp.asp
-- Service Principal Instructions

grab the SETSPN.EXE tool from the windows resource kit tools
>> SETSPN {principalName} {accountName}
>> setspn HOST/{machine} DOMAIN\account
>> setspn HOST/{machine}.domain.com DOMAIN\account
>> setspn HTTP/{machine} DOMAIN\account
>> setspn HTTP/{machine}.domain.com DOMAIN\account

eg.
SETSPN HOST/mypc MYDOMAIN\fred
SETSPN HOST/mypc.MyDomain.com MYDOMAIN\fred
SETSPN HTTP/mypc MYDOMAIN\fred
SETSPN HTTP/mypc.MyDomain.com MYDOMAIN\fred


Client Code for WSE3
- UsernameForCertificate

MyWSE3ServiceProxy svc = new MyWSE3ServiceProxy();
UsernameToken tok;
// If the user token is sent in plain text, then the TokenManager will try and
// authenticate against the ActiveDir/LocalMachine automatically.
tok = new UsernameToken("username", "password", PasswordOption.SendPlainText);
svc.SetClientCredential<UsernameToken>(tok);

-Kerberos
To set the target principal in code use:

string targetPrincipalName = "HTTP/" + System.Net.Dns.GetHostEntry(System.Net.Dns.GetHostName()).HostName;
KerberosToken kerbTok = new KerberosToken(targetPrincipalName);

and via the wse3policycache.config file use:
    <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
  <token>
   <kerberos targetPrincipal="host/MYPC" impersonationLevel="Impersonation" />
  </token>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </kerberosSecurity>

Published Tuesday, December 20, 2005 11:53 PM by admin
Anonymous comments are disabled

This Blog

Syndication
Copyright 2005, 2006, 2007 by Wallace B. McClure
Powered by Community Server, by Telligent Systems