Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / March 2006

Tip: Looking for answers? Try searching our database.

Spec of TLSNego protocol

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
orouit - 10 Mar 2006 10:11 GMT
Hi,

I've been searching on the internet and basically on all the newsgroups I
could find for a specification of TLSNego, but it seems that it doesn't exist.

However this is extracted from  the first RST sent by a client to a STS in
the Federation sample of the February CTP:
<t:BinaryExchange
ValueType="http://schemas.microsoft.com/net/2004/07/secext/TLSNego">FgMBAEEBAAA9AwFEEU7bqmQ
X+am6uK1rHXWZ+5gVbVUo/GzHPOx3WdqmIQAAFgAEAAUACgAJAGQAYgADAAYAEwASAGMBAA==</t:Bin
aryExchange>

I've posted this on another MSDN forums but I don't get any answer. This is
quite a blocking issue for us and before making a pay request on MSDN I would
like to be sure that this protocol is not a private spec of Microsof and that
I will get a solution.

<BinaryExchange> is part of WS-Trust but TLSNego is defenitely not part of
this standard, so I would like to understand how a STS writen without any MS
Framework (WSE or WCF) can interact with this so called interoperable
technology.

Thks for any hint aboutit!

Signature

Olivier ROUIT
Advance IT Tokens

Reply to this Message
Pablo Cibraro - 10 Mar 2006 14:27 GMT
Hi Olivier,

I have already discussed this topic with you before. WCF tries to negociate
a service certificate with the protocol TLSNego when you use the binding
wsHttpBinding.
You have two ways of avoiding that behavior:

1. Disable the negotiateServiceCredentials flag on the wsHttpBinding
2. Use a custom binding, as I show below (It uses UsernameOverCertificate
but you can modify it to use MutualCertificate).

<system.serviceModel >
  <client>
  <endpoint name="clientendpoint"
address="http://localhost/WCFSampleService/service.svc"
   binding="wsFederationHttpBinding"
   contract="IHelloWorld"
   behaviorConfiguration="ServiceBehavior"
   bindingConfiguration="ServiceBinding">
   <identity>
    <dns value="WCFQuickstartServer"/>
   </identity>
  </endpoint>
 </client>

 <bindings>

  <customBinding>
   <binding name="UsernameBinding">
    <security authenticationMode="UserNameForCertificate"
                      requireSignatureConfirmation="false"
      messageProtectionOrder ="SignBeforeEncryptAndEncryptSignature"
      requireDerivedKeys="true">
    </security>
    <httpTransport/>
   </binding>
  </customBinding>

  <wsFederationHttpBinding>
   <binding name="ServiceBinding">
    <security mode="Message">
     <message
issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
negotiateServiceCredential="false">
      <!-- Uncomment this section to ask for specific claims to the STS
      <claims>
       <add claimType
="http://schemas.microsoft.com/ws/2005/05/identity/claims/EmailAddress"/>
       <add claimType
="http://schemas.microsoft.com/ws/2005/05/identity/claims/GivenName"/>
       <add claimType
="http://schemas.microsoft.com/ws/2005/05/identity/claims/Surname"/>
      </claims>
      -->

      <issuer
address="http://localhost/WCFSecurityTokenService/service.svc"
bindingConfiguration="UsernameBinding"
       binding="customBinding">
       <identity>
        <dns value="WCFQuickstartServer"/>
       </identity>
      </issuer>
     </message>
    </security>
   </binding>
  </wsFederationHttpBinding>
 </bindings>
 <behaviors>
  <behavior name="ServiceBehavior">
   <clientCredentials>

    <serviceCertificate>
     <defaultCertificate findValue="CN=WCFQuickstartServer"
storeLocation="LocalMachine" storeName="My"
x509FindType="FindBySubjectDistinguishedName"/>
     <authentication revocationMode="NoCheck"
certificateValidationMode="None"></authentication>
    </serviceCertificate>
   </clientCredentials>
  </behavior>
 </behaviors>
</system.serviceModel>

This works on the February CTP.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

> Hi,
>
[quoted text clipped - 22 lines]
>
> Thks for any hint aboutit!
Reply to this Message
orouit - 13 Mar 2006 14:04 GMT
Thanks a lot,

This time with the help of your config I managed to get what I wanted. In
fact I tried negociateServiceCredential=false
and with the help of another post I managed to get... TLSNego instead of
SPNego! But it didn't solve my pb and that's why I
asked again.

I used your advise using MutualCertificate in the Federation sample of the
Feb CTP and when I plug my HttpHandler I get
what I expected i.e a Soap request that I can handle according the WS-* specs.

I will close the other posts as well.

/Olivier

Signature

Olivier ROUIT
Advance IT Tokens

> Hi Olivier,
>
[quoted text clipped - 112 lines]
> >
> > Thks for any hint aboutit!
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.