locked
CSF Session Without User Credentials RRS feed

  • Question

  • Hi,

     I need to create CSF Session without using User name and Password.

    I am able to create session sucessfully without kerberos

     I am trying to create it with Kerberos . I am trying first with HelloWorld Sample .

     

    I have made following changes in SessionPolicy.config

     

    <policy name="SessionServerPolicy">

    <authorization>

    <allow role="SDPDEV\Requestors@CSF_Session"/>

    <deny user="*"/>

    </authorization>

    <!--<traceAssertion remoteServerUri="http://csftraceservername:9502/LogWriter.soap" />-->

    <dynamicSecurity>

    <usernameOverTransportSecurity/>

    <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">

    <token>

    <kerberos targetPrincipal="CSF/Session" impersonationLevel="impersonation" />

    </token>

    <protection>

    <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>

    </protection>

    </kerberosSecurity>

    </dynamicSecurity>

    <requireActionHeader/>

    </policy>

     

    After that I have registered the Service Principal name

    Output of setspn -L SDPDev\Session-Service

     

    Registered ServicePrincipalNames for CN=Session-Service,OU=CSF_Session,OU=CSF-Ad
    ministration-OU,DC=SDPDEV,DC=acs:
        CSF/Session
        UIFormService/HelloWorldAppWnd

     

     

    I have made following changes in HelloWorldSample Example

    message.Header.Security.Add(new KerberosToken("CSF/Session", ImpersonationLevel.Impersonation))

     

     

    KerberosAssertion policyAssertion = new KerberosAssertion();

    policyAssertion.KerberosTokenProvider = new KerberosTokenProvider("CSF/Session");

     

     

    I am gettinng following exception

     

    Timestamp: 10/07/2007 8.41.30

    Message: System.FormatException: Failed parsing the policy document. ---> System.ArgumentException: Requested value 'impersonation' was not found.

    at System.Enum.Parse(Type enumType, String value, Boolean ignoreCase)

    at Microsoft.Web.Services3.Design.PolicyAssertion.TryGetAttribute[T](XmlReader reader, String name, T& value)

    at Microsoft.Web.Services3.Design.KerberosTokenProvider.ReadXml(XmlReader reader, IDictionary`2 extensions)

    at Microsoft.Web.Services3.Design.KerberosAssertion.ReadXml(XmlReader reader, IDictionary`2 extensions)

    at Microsoft.ConnectedServices.Sdk.Security.DynamicSecurityAssertion.ReadXml(XmlReader reader, IDictionary`2 extensions)

    at Microsoft.Web.Services3.Design.Policy.ReadFrom(XmlReader reader, IDictionary`2 extensions)

    at Microsoft.Web.Services3.Design.Policy.ReadFrom(XmlReader reader, IDictionary`2 extensions, String& policyName)

    at Microsoft.Web.Services3.Design.Policies.ReadPolicies(XmlReader reader, IDictionary`2 extensions)

    at Microsoft.Web.Services3.Design.Policies.ReadXml(XmlReader reader)

    --- End of inner exception stack trace ---

    at Microsoft.Web.Services3.Design.Policies.ReadXml(XmlReader reader)

    at Microsoft.Web.Services3.Configuration.PolicyConfiguration.GetPolicies()

    at Microsoft.Web.Services3.Design.Policies.get_Default()

    at Microsoft.Web.Services3.Messaging.SoapReceiver.SetPolicy(String policyName)

    at Microsoft.ConnectedServices.Sdk.Messaging.CsfService.SetPolicy(String policyname)

    at Microsoft.ConnectedServices.Connector.Session.SessionManagerAdminWS..ctor()

    Category: Session OperationalEvent

    Priority: 5

    EventId: 20000

    Severity: Error

    TitleTongue Tiedession

    Machine: CSF30-07

    Application Domain: /LM/W3SVC/1/Root/Session30-1-128285304813934044

    Process Id: 1272

    Process Name: c:\windows\system32\inetsrv\w3wp.exe

    Win32 Thread Id: 2968

    Thread Name:

    Extended Properties:

     

     

     

    Timestamp: 10/07/2007 8.41.30

    Message: CustomUsernameTokenManager is enabled.

    Category: Session OperationalEvent

    Priority: 5

    EventId: 0

    Severity: Information

    Title:CustomUsernameTokenManager

    Machine: CSF30-07

    Application Domain: /LM/W3SVC/1/Root/Session30-1-128285304813934044

    Process Id: 1272

    Process Name: c:\windows\system32\inetsrv\w3wp.exe

    Win32 Thread Id: 2968

     

     

    Help me in understnding this error and how to resolve it .

     

    I do not have Order handling SBE . I am able to create session sucessfully without kerberos

     

     

     

     

     

     

     

     

     

    Tuesday, July 10, 2007 8:39 AM

Answers

  • Hi Meena,

     

    The SessionServerPolicy is a server policy to validate the incoming messages to session.

    You are not supposed to give a target principal name in this policy as Target principal name will be required on the client side policy.

    So to make it work with kerberos your SessionServerPolicy should look like

     

    <policy name="SessionServerPolicy">

    <authorization>

    <allow role="SDPDEV\Requestors@CSF_Session"/>

    <deny user="*"/>

    </authorization>

    <dynamicSecurity>

    <usernameOverTransportSecurity/>

    <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">

    <protection>

    <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>

    </protection>

    </kerberosSecurity>

    </dynamicSecurity>

    <requireActionHeader/>

    </policy>

     

    Your Client side Policy should look like below if you are not sending the kerberos token through code.

     

    <policy name="HelloWorldClientPolicy">

    <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">

    <token>

    <kerberos targetPrincipal="CSF/Session" impersonationLevel="Impersonation"/>

    </token>

    <protection>

    <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>

    </protection>

    </kerberosSecurity>

    </policy>

     

    Now you can send kerberos token from any other service to create a session.

    Session should be able to validate the incoming message against the policy mentioned above.

    In case if you want session to accept messags only with kerberos token, you can remove the "<usernameOverTransportSecurity/>" portion from the policy.

    Hope this helps.

     

    Regards,

    Subhodip

    Friday, July 13, 2007 7:10 AM

All replies

  • Hi,

     

    The problem is pretty simple. In the policy you have created you have mentioned the following

     

    <kerberos targetPrincipal="CSF/Session" impersonationLevel="impersonation" />

     

    Please change the case of ' I ' in impersonation and it should be with Capital I, It should be as follows

     

    <kerberos targetPrincipal="CSF/Session" impersonationLevel="Impersonation" />

     

    This should resolve the problem

     

    Thanks

    Kapil

     

    Friday, July 13, 2007 6:59 AM
  • Hi Meena,

     

    The SessionServerPolicy is a server policy to validate the incoming messages to session.

    You are not supposed to give a target principal name in this policy as Target principal name will be required on the client side policy.

    So to make it work with kerberos your SessionServerPolicy should look like

     

    <policy name="SessionServerPolicy">

    <authorization>

    <allow role="SDPDEV\Requestors@CSF_Session"/>

    <deny user="*"/>

    </authorization>

    <dynamicSecurity>

    <usernameOverTransportSecurity/>

    <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">

    <protection>

    <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>

    </protection>

    </kerberosSecurity>

    </dynamicSecurity>

    <requireActionHeader/>

    </policy>

     

    Your Client side Policy should look like below if you are not sending the kerberos token through code.

     

    <policy name="HelloWorldClientPolicy">

    <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">

    <token>

    <kerberos targetPrincipal="CSF/Session" impersonationLevel="Impersonation"/>

    </token>

    <protection>

    <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>

    </protection>

    </kerberosSecurity>

    </policy>

     

    Now you can send kerberos token from any other service to create a session.

    Session should be able to validate the incoming message against the policy mentioned above.

    In case if you want session to accept messags only with kerberos token, you can remove the "<usernameOverTransportSecurity/>" portion from the policy.

    Hope this helps.

     

    Regards,

    Subhodip

    Friday, July 13, 2007 7:10 AM