ASP.NET Podcast #31 - I do a talk on WSE3 (and Merry Xmas)

Thursday, December 22, 2005

Another podcast out the door! This is a pre-christmas show and may be (but depends on time) the last one for the year.

In this show I talk about the Web Service Enhancements V3 (WSE3) and listout some tips and techniques that I have used to overcome some issues when using some of the turnkey policies in WSE3. You can choose to subscribe ( I hear rumours that subscribing to this podcast is so good, that it can also assist in growing back severed limbs...) or you can download direct.

Dont forget to check out the ASP.NET Podcast site here ( http://aspnetpodcast.com ). Show notes for this show are below:

- Many thanks to all our listeners
- Merry Xmas
- A very quick look at 2005
- The ASP.NET AJAX book (yes....again)

- Tech Talk on Web Service Enhancements 3 (WSE3)
-- Security implementation guidance doc recently released http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wssp.asp
-- Service Principal Instructions

grab the SETSPN.EXE tool from the windows resource kit tools
>> SETSPN {principalName} {accountName}
>> setspn HOST/{machine} DOMAIN\account
>> setspn HOST/{machine}.domain.com DOMAIN\account
>> setspn HTTP/{machine} DOMAIN\account
>> setspn HTTP/{machine}.domain.com DOMAIN\account

eg.
SETSPN HOST/mypc MYDOMAIN\fred
SETSPN HOST/mypc.MyDomain.com MYDOMAIN\fred
SETSPN HTTP/mypc MYDOMAIN\fred
SETSPN HTTP/mypc.MyDomain.com MYDOMAIN\fred

Client Code for WSE3
- UsernameForCertificate

MyWSE3ServiceProxy svc = new MyWSE3ServiceProxy();
UsernameToken tok;
// If the user token is sent in plain text, then the TokenManager will try and
// authenticate against the ActiveDir/LocalMachine automatically.
tok = new UsernameToken("username", "password", PasswordOption.SendPlainText);
svc.SetClientCredential<UsernameToken>(tok);

-Kerberos
To set the target principal in code use:

string targetPrincipalName = "HTTP/" + System.Net.Dns.GetHostEntry(System.Net.Dns.GetHostName()).HostName;
KerberosToken kerbTok = new KerberosToken(targetPrincipalName);

and via the wse3policycache.config file use:
    <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
  <token>
   <kerberos targetPrincipal="host/MYPC" impersonationLevel="Impersonation" />
  </token>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </kerberosSecurity>

No Comments