Hello.
I would like to implement client impersonation in the service side of my application.
I have done that using a policy config file at the client/service.
On the service side I use:
KerberosToken clientToken = RequestSoapContext.Current.Credentials.UltimateReceiver.GetClientToken<KerberosToken>();
clientToken.Principal.Identity.Impersonate();
To get the client's token and impersonate.
- This works fine.
The trouble is the config file – the service name (<kerberos targetPrincipal="host/server1"/>) cannot be changed while the client is running, and my client needs to connect to several services.
So I tried to create the Kerberos policy in the code (instead of using the policy config file), but I can't seem to get it work, I get:
WSE910: Security requirements are not satisfied because the security header is not present in the incoming message.
This is the client policy config file:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<extensions>
<extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="kerberos" type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="RemoteTaskSecurity">
<kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
<token>
<kerberos targetPrincipal="host/server1" impersonationLevel="Impersonation" />
</token>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
</protection>
</kerberosSecurity>
<requireActionHeader />
</policy>
</policies>
This is my code (The relevant parts for passing the Kerberos token):
----------------Client Code Start -----------------
class MyPolicy : Policy
{
public RemoteTaskSecurity()
{
KerberosAssertion kerberosAssertion = new KerberosAssertion();
kerberosAssertion.KerberosTokenProvider = new KerberosTokenProvider("host/server1", ImpersonationLevel.Impersonation);
this.Assertions.Add(kerberosAssertion);
}
}
class client : SoapClient
{
Public client
{
base.SetPolicy(new MyPolicy());
}
}
----------------Client Code End -----------------
I think (hope) I'm on the right way, but obviously I am missing some sections such as "protection".
Can anyone help?
10x,
Alex.
