 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / September 2004WSE 2 and impersonation
I have a WSE 2 server and an older .Net application that I extended that now acts as a WSE 2 client. Part of the original functionality of the client was that it was available to COM callers. I now want the client to impersonate the COM caller and send some soap messages to my WSE 2 server. Before the client makes the WSE call I am able to grab the current user principle in order to impersonate, but I'm not sure how to package that up into the WSE call (WSE seems to want username/password). Any thoughts? Thanks, -Mike Can you get a WindowsIdentity out of the principal and invoke "Impersonate"? If so, you can try to use kerberos token. Make sure your server side checks the kerberos token's identity is really the COM caller. However, it depends on what impersonation permission you can get on your WSE 2 client machine to be able achieve that. Let me know if this works. hongmei > I have a WSE 2 server and an older .Net application that I extended that now > acts as a WSE 2 client. Part of the original functionality of the client [quoted text clipped - 7 lines] > Thanks, > -Mike We don't plan on working with kerberos. Also, it seems that WSE expects you to pass the actual username and password to their API... there's no way to retrieve that information from the principal, as far as I know. It would be great if the WSE API allowed you to pass the principal you want to use and have it extract the information it needs in order to impersonate. Any other thoughts? > Can you get a WindowsIdentity out of the principal and invoke "Impersonate"? > [quoted text clipped - 19 lines] > > Thanks, > > -Mike Michael, This is a snippet taken of Simon Horrell's article off MSDN about Kerberos...You can refer to the full article thru this link http://msdn.microsoft.com/webservices/building/wse/default.aspx?pull=/library/en -us/dnwse/html/wse2wspolicy.asp <quoteSnippet> Sending a KerberosToken If WSE 2.0 is installed on Windows ServerT 2003 or Windows? XP with Service Pack 1, then it has support for Kerberos authentication in the form of a KerberosToken. Kerberos has the benefit of being an open security standard, thus promoting interoperability between WSE-enabled Web service applications running on Windows and Web service applications running on non-Windows platforms. The policy below shows how to configure a Web service operation to accept a Kerberos ticket as a security token. <wsp:Policy wsu:Id="PassKerberosToken"> <SecurityToken wsp:Usage="wsp:Required" xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext"> <TokenType> http://schemas.xmlsoap.org/ws/2003/12/kerberos/Kerberosv5ST </TokenType> </SecurityToken> </wsp:Policy> Again, in this case, because the exact details of a particular Kerberos ticket have not been specified, the Web service consumer using this policy must populate the PolicyEnforcementSecurityTokenCache with a specific token-this time a KerberosToken-before it makes the call to the Web service proxy, as shown here. string name = "host/" + System.Net.Dns.GetHostName(); KerberosToken tok = new KerberosToken(name); PolicyEnforcementSecurityTokenCache.GlobalCache.Add(tok); s.PassToken(); The KerberosToken is created from the current Windows user's security context-its Principal property is automatically set to this user-so it wraps a Kerberos ticket that allows the Web service consumer (running on behalf of the current user) to communicate with the host specified (the same machine, in this case). A policy detailing a particular Kerberos ticket to use is shown below. <wsp:Policy wsu:Id="PassKerberosToken"> <SecurityToken wsp:Usage="wsp:Required" xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext"> <TokenType> http://schemas.xmlsoap.org/ws/2003/12/kerberos/Kerberosv5ST </TokenType> <TokenIssuer>DM</TokenIssuer> <Claims> <SubjectName>DM\simonh</SubjectName> <ServiceName>host/LAP-SIMON</ServiceName> </Claims> </SecurityToken> </wsp:Policy> In this case, all the Web service consumer using this policy needs to do is call the Web service method, as WSE has all the information it needs to obtain a Kerberos ticket and wrap it as a KerberosToken. s.PassToken(); When the message is received by WSE, it automatically maps the Kerberos ticket to a Windows user account. It may be that the machine hosting either the Web service consumer or the Web service doesn't support Kerberos, so using a KerberosToken is not an option. It may also be that using a UsernameToken is not an option-a UsernameToken works fine when passing messages from client to server but won't work for messages sent from server to client as the client has no way of verifying the server's password. In this case, perhaps an X.509 certificate may be a better choice as the means of specifying credentials. </quoteSnippet> hth.  SignatureThank you very much Warmest Regards, Softwaremaker Architect | Evangelist | Consultant +++++++++++++++++++++++++++++++++ > We don't plan on working with kerberos. Also, it seems that WSE expects you > to pass the actual username and password to their API... there's no way to [quoted text clipped - 36 lines] > > > Thanks, > > > -Mike I guess I'm a bit confused here. For our particular solution, Kerberos is not an option; however, based on the code below: > string name = "host/" + System.Net.Dns.GetHostName(); > KerberosToken tok = new KerberosToken(name); > PolicyEnforcementSecurityTokenCache.GlobalCache.Add(tok); > s.PassToken(); Can I pass some Windows Principal token or something like that instead of a Kerberos token, or does this example/functionality only apply for Kerberos? Thanks! -Mike > Michael, > > This is a snippet taken of Simon Horrell's article off MSDN about > Kerberos...You can refer to the full article thru this link http://msdn.microsoft.com/webservices/building/wse/default.aspx?pull=/library/en -us/dnwse/html/wse2wspolicy.asp > <quoteSnippet> > Sending a KerberosToken [quoted text clipped - 114 lines] > > > > Thanks, > > > > -Mike Michael: It seems to me that your problem lies a little bit deeper than authentication. I would go back and re-evaluate the architecture of your solution. If you want to use impersonation, then you are not building an interoperable web service. In that scenario, IMHO, .NET Remoting is a much better choice: it does what you want it to do out of the box, and it is much faster because it can use the full power of the Windows platform to communicate in binary. If you are looking to create an interoperable web service, you should not attempt to impersonate. My two cents. HTH, SignatureSven > I guess I'm a bit confused here. For our particular solution, Kerberos is > not an option; however, based on the code below: [quoted text clipped - 13 lines] > > This is a snippet taken of Simon Horrell's article off MSDN about > > Kerberos...You can refer to the full article thru this link http://msdn.microsoft.com/webservices/building/wse/default.aspx?pull=/library/en -us/dnwse/html/wse2wspolicy.asp > > <quoteSnippet> > > Sending a KerberosToken [quoted text clipped - 130 lines] > > > > > Thanks, > > > > > -Mike Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.