none
Kerberos Token is not created. RRS feed

  • Question

  • I'm implementing kerberos authentication in web service, I’m calling webservice from wpf windows application. I have created wse3policyCache.config use WSE settings.

    Below is the code

    wse3policyCache.config

    <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">

      <extensions>

        <extension name="kerberosSecurity"

                   type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

        <extension name="kerberos"

                   type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

        <extension name="requireActionHeader"

                   type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

      </extensions>

     

      <policy name="KerberosClient">

        <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">

         

          <token >

            <kerberos targetPrincipal="host/INBLRN0143"    impersonationLevel="Impersonation" />

          </token>

          <protection>

            <request  signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"  encryptBody="true" />

            <response signatureOptions="IncludeAddressing,  IncludeTimestamp, IncludeSoapBody"  encryptBody="true" />

            <fault signatureOptions="IncludeAddressing,  IncludeTimestamp, IncludeSoapBody"      encryptBody="false" />

          </protection>

        </kerberosSecurity>

        <requireActionHeader />

      </policy>

    </policies>

    When I assign this policy to proxy class and called the webservice method, I’m getting exception     

    Service1 serviceProxy = new Service1();

    serviceProxy.SetPolicy("KerberosClient");

    WSE2351: Incorrect size for key material, expected 16 bytes.

    Pleasev help me, why I’m getting this error


    Wednesday, February 22, 2017 10:23 AM

All replies

  • Hi DeepakBangalore,

    Based on the error message, it seems to be related with cryptographic, and I suggest you check whether below link is helpful.

    # WSE UNIX Kerberos Authentication: Getting Rid of Error WSE2351

    https://www.codeproject.com/articles/17699/wse-unix-kerberos-authentication-getting-rid-of-er

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, February 23, 2017 2:49 AM
  • Hi Edward,

    The above link is not helping me to solve the problem

    Now I'm not using Config file, I'm creating "KerberosClient" by code only.

    Public Void Method1()

    {

     Service1 serviceProxy = new Service1();

      serviceProxy.UseDefaultCredentials = true;

     serviceProxy.RequireMtom = true;

                               

     

                                 KerberosAssertion assertion = new KerberosAssertion();

     

                                 KerberosToken token = GetSecurityToken();

                                                                                     

                            

                                assertion.EstablishSecurityContext = false;

                                 assertion.RenewExpiredSecurityContext = true;

                                 assertion.RequireSignatureConfirmation = false;

                                 assertion.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;

                                 assertion.RequireDerivedKeys = true;

                                 assertion.TtlInSeconds = 300;

                                 assertion.Protection.Request.SignatureOptions = Microsoft.Web.Services3.Security.SignatureOptions.IncludeAddressing;

                                 assertion.Protection.Request.SignatureOptions = Microsoft.Web.Services3.Security.SignatureOptions.IncludeTimestamp;

                                 assertion.Protection.Request.SignatureOptions = Microsoft.Web.Services3.Security.SignatureOptions.IncludeSoapBody;

                                 assertion.Protection.Request.EncryptBody = true;

                                 assertion.Protection.Response.SignatureOptions = Microsoft.Web.Services3.Security.SignatureOptions.IncludeAddressing;

                                 assertion.Protection.Response.SignatureOptions = Microsoft.Web.Services3.Security.SignatureOptions.IncludeTimestamp;

                                 assertion.Protection.Response.SignatureOptions = Microsoft.Web.Services3.Security.SignatureOptions.IncludeSoapBody;

                                 assertion.Protection.Response.EncryptBody = true;

                                 assertion.Protection.Fault.SignatureOptions = Microsoft.Web.Services3.Security.SignatureOptions.IncludeAddressing;

                                 assertion.Protection.Fault.SignatureOptions = Microsoft.Web.Services3.Security.SignatureOptions.IncludeTimestamp;

                                 assertion.Protection.Fault.SignatureOptions = Microsoft.Web.Services3.Security.SignatureOptions.IncludeSoapBody;

                                 assertion.Protection.Fault.EncryptBody = false;

                   

             

                 

                                 serviceProxy.SetClientCredential(token);                     

                  

                                 Policy policy = new Policy();

                                 policy.Assertions.Add(assertion);

                                 serviceProxy.SetPolicy(policy);

                                                     

                                string str = serviceProxy.HelloWorld();

      }

      KerberosToken GetSecurityToken()

            {

             

               

                KerberosToken securityToken = new KerberosToken(“host/INBLRN0143”, ImpersonationLevel.Impersonation);

             

                return securityToken;

            }

    But what happened, When I Debug the line   KerberosToken token = GetSecurityToken();

    and see the token object in watch window, Key through the exception

    Key = 'securityToken.Key' threw an exception of type 'System.ArgumentException'

    But after refreshing the token object, it create the key

     

    Key = {Microsoft.Web.Services3.Security.Cryptography.AES128}

    I don't understand why this kind of error is coming.

    Thursday, February 23, 2017 3:59 AM
  • Hi DeepakBangalore,

    Thanks for your post, I made a test with below code, and I could reproduce your issue.

                KerberosToken securityToken = new KerberosToken("host/" + System.Net.Dns.GetHostName(), ImpersonationLevel.Impersonation);
                var key= securityToken.Key;
    

    I will try to discuss with other members, if there is any update, I will come back as soon as possible.

    Thanks for your understanding.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, February 27, 2017 6:17 AM
  • Dear forum user,

    Your question falls into a category which requires a more in-depth level of support.  Please visit the below link to see the various free and paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone

    Following is some link for your reference:

    http://www.ikriv.com/dev/dotnet/KerberosWse.html

    https://msdn.microsoft.com/en-us/library/ms242197.aspx

    https://msdn.microsoft.com/en-us/library/aa732802.aspx

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, March 1, 2017 2:16 AM
  • Hi,

    The link you have given as reference that is not matching my requirement.

    Please let me know in which forum I will ask the question.

    Wednesday, March 1, 2017 4:48 AM
  • Hi,

    I just I want to know, Is this issue due to, some setting is not set in active directory?

    As mentioned in below link

    https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/

    and I'm using the default SPN, like "Host/MachineName".

    Wednesday, March 1, 2017 5:44 AM
  • Hi,

    If anyone knows, Please help me, to resolve this issue.

    Thanks in advance.

    Thursday, March 2, 2017 11:37 AM
  • Hi Edward,

    Have you got any solutions?

    Thanks

    Deepak Sharma

    Friday, March 10, 2017 6:39 AM