none
WCF KerberosOverTransport Authentication Mode RRS feed

  • Question

  • Can somebody please post an example of how i may use the KerberosOverTransport authentication mode?
    Wednesday, September 11, 2013 12:16 PM

Answers

  • Hi,

    Yes, we have this KerberosOverTransport mode in WCF.

    With this authentication mode, the client authenticates to the service using a Kerberos ticket. The Kerberos token appears at the SOAP layer as an endorsing supporting token; that is, a token that signs the message signature. The service is authenticated using an X.509 certificate at the transport layer.

    We can use it as:

    <binding name="Custom">
    <security authenticationMode="KerberosOverTransport" 
    .....
    /binding>
    


    For more information, please try to refer to:

    #SecurityBindingElement Authentication Modes:
    http://msdn.microsoft.com/en-us/library/aa751836.aspx .

    Best Regards,
    Amy Peng


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Friday, September 13, 2013 5:49 AM
    Moderator
  • Hi,

    I have seem your thread in Kerberos Over Https, please try to modify your configure file as below to see if it helps:

    <bindings>
        <customBinding>
             <binding name="Kerberos (MsgHeader) over Transport (Certificate)">
                 <textMessageEncoding messageVersion="Soap11" />
                     <security authenticationMode="KerberosOverTransport">
                         <secureConversationBootstrap />
                     </security>
                  <localservicesettings maxClockSkew=“00:10:00“ />
                  <localclientsettings maxClockSkew=“00:10:00“ />
                  <httpsTransport requireClientCertificate="true" />
              </binding>
         </customBinding>
     </bindings>

    If it still can not help, please try to enable the wcf tracing to find the cause.

    #How to enable the wcf tracing:
    http://msdn.microsoft.com/en-us/library/ms733025.aspx .

    Best Regards,
    Amy Peng


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.


    Thursday, September 19, 2013 7:22 AM
    Moderator

All replies

  • Is that a new mode (KerberosOverTransport) or are you talking about ClientCredentialType ??

    If so, you should just set the binding to:

    <security mode="TransportCredentialOnly">
      <transport clientCredentialType="Windows"/>
    

    -and ensure the server is trusted on AD.

    /Peter

    Thursday, September 12, 2013 1:04 PM
  • Hi,

    Yes, we have this KerberosOverTransport mode in WCF.

    With this authentication mode, the client authenticates to the service using a Kerberos ticket. The Kerberos token appears at the SOAP layer as an endorsing supporting token; that is, a token that signs the message signature. The service is authenticated using an X.509 certificate at the transport layer.

    We can use it as:

    <binding name="Custom">
    <security authenticationMode="KerberosOverTransport" 
    .....
    /binding>
    


    For more information, please try to refer to:

    #SecurityBindingElement Authentication Modes:
    http://msdn.microsoft.com/en-us/library/aa751836.aspx .

    Best Regards,
    Amy Peng


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Friday, September 13, 2013 5:49 AM
    Moderator
  • Hi,

    Thanks for your answer. I did pretty much the same as you said and what is mentioned in the MSDN articles. However, I have been trying desperately to host the service in a Windows Application without any success.

    Whenever I try to invoke a service method from the client, i get the following error:

    An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.

    And when I examine the inner fault message its:

    An error occurred when processing the security tokens in the message.

    I explained my problem in more detail at StackOverFlow: Kerberos Over Https if you don't mind taking a look at it.

    Anyways, i tried hosting the service on IIS and it worked, why? I don't know!


    • Edited by hiddenUser Friday, September 13, 2013 10:36 AM
    Friday, September 13, 2013 10:35 AM
  • Hi,

    I have seem your thread in Kerberos Over Https, please try to modify your configure file as below to see if it helps:

    <bindings>
        <customBinding>
             <binding name="Kerberos (MsgHeader) over Transport (Certificate)">
                 <textMessageEncoding messageVersion="Soap11" />
                     <security authenticationMode="KerberosOverTransport">
                         <secureConversationBootstrap />
                     </security>
                  <localservicesettings maxClockSkew=“00:10:00“ />
                  <localclientsettings maxClockSkew=“00:10:00“ />
                  <httpsTransport requireClientCertificate="true" />
              </binding>
         </customBinding>
     </bindings>

    If it still can not help, please try to enable the wcf tracing to find the cause.

    #How to enable the wcf tracing:
    http://msdn.microsoft.com/en-us/library/ms733025.aspx .

    Best Regards,
    Amy Peng


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.


    Thursday, September 19, 2013 7:22 AM
    Moderator