locked
WSE3 Impersonation by Client Token RRS feed

  • Question

  • Hello.
    I would like to implement client impersonation in the service side of my application.
    I have done that using a policy config file at the client/service.

    On the service side I use:

    KerberosToken clientToken = RequestSoapContext.Current.Credentials.UltimateReceiver.GetClientToken<KerberosToken>();
    clientToken.Principal.Identity.Impersonate();

    To get the client's token and impersonate.

    - This works fine.

    The trouble is the config file – the service name (<kerberos targetPrincipal="host/server1"/>) cannot be changed while the client is running, and my client needs to connect to several services.

    So I tried to create the Kerberos policy in the code (instead of using the policy config file), but I can't seem to get it work, I get:

    WSE910: Security requirements are not satisfied because the security header is not present in the incoming message.

    This is the client policy config file:

    <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
     <extensions>
      <extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <extension name="kerberos" type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
     </extensions>
     <policy name="RemoteTaskSecurity">
      <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
       <token>
        <kerberos targetPrincipal="host/server1" impersonationLevel="Impersonation" />
       </token>
       <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
       </protection>
      </kerberosSecurity>
      <requireActionHeader />
     </policy>
    </policies>

    This is my code (The relevant parts for passing the Kerberos token):

    ----------------Client Code Start -----------------

    class MyPolicy : Policy
    {
     public RemoteTaskSecurity()
     {
      KerberosAssertion kerberosAssertion = new KerberosAssertion();

      kerberosAssertion.KerberosTokenProvider = new KerberosTokenProvider("host/server1", ImpersonationLevel.Impersonation);

      this.Assertions.Add(kerberosAssertion);
      }
    }

    class client : SoapClient
    {
     Public client
    {
       base.SetPolicy(new MyPolicy());
      }
    }

    ----------------Client Code End -----------------

    I think (hope) I'm on the right way, but obviously I am missing some sections such as "protection".

    Can anyone help?

    10x,
    Alex.

    Thursday, May 18, 2006 7:13 AM

All replies

  • This is how we do it (special 10x to Lior Rozner and Lutz Roeder):

    class MyPolicy : Policy
    {
     public MyPolicy()
     {
        KerberosAssertion kerberosAssertion = new KerberosAssertion();

        string
    targetPrincipal = "host/server1";
        kerberosAssertion.KerberosTokenProvider = new KerberosTokenProvider(targetPrincipal, ImpersonationLevel.Impersonation);

        kerberosAssertion.Protection.Request.SignatureOptions =
    SignatureOptions.IncludeAddressing | SignatureOptions.IncludeTimestamp | SignatureOptions.IncludeSoapBody;
        kerberosAssertion.Protection.Request.EncryptBody =
    true;
        kerberosAssertion.Protection.Response.SignatureOptions =
    SignatureOptions.IncludeAddressing | SignatureOptions.IncludeTimestamp | SignatureOptions.IncludeSoapBody;
        kerberosAssertion.Protection.Response.EncryptBody =
    true;
        kerberosAssertion.Protection.Fault.SignatureOptions =
    SignatureOptions.IncludeAddressing | SignatureOptions.IncludeTimestamp | SignatureOptions.IncludeSoapBody;
        kerberosAssertion.Protection.Fault.EncryptBody =
    false;
        kerberosAssertion.RequireDerivedKeys =
    true;

        //Add the assertion to the Assertions of the Policy
        this.Assertions.Add(kerberosAssertion);
      }
    }

    class client : SoapClient
    {
     Public client
    {
       base.SetPolicy(new MyPolicy());
      }
    }

     

    Tuesday, May 30, 2006 10:12 AM