none
[MS-MDE] Windows 8.1: How do I configure my WCF service to understand the BinarySecurityToken of the GetPolicies Request? RRS feed

  • Question

  • Hi

    I am asking this question to implement the service to serve  GetPolicies request during Windows 8.1 enrollment. 

    Windows DM client is sending the token issued by STS as a BinarySecurityToken with custom ValueType and EncodingType. How do I configure my service binding, so that I can write the Custom validator or use the existing WS-Security validators?

    Here I am posting a part of the Request header that shows the <security> tag. 

    <wsse:Security s:mustUnderstand="1">
    <wsse:BinarySecurityToken ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">

    I am not finding a way to make my service understand this SOAP message using HTTP bindings, even I tried to use Custom wsHttpBinding. Is there a way you can suggest?

    Note: I am trying to create a  .Net WCF service that serves this SOAP request.

    Thanks

    Tuesday, January 28, 2014 9:35 AM

All replies

  • Hi,

    If I do not misunderstand you, you will need to create the binding from code.

            var b = new CustomBinding();
            var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
            sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
            sec.MessageSecurityVersion =
                MessageSecurityVersion.
                    WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
            sec.IncludeTimestamp = true;
            sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;
    
            b.Elements.Add(sec);
            b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
            b.Elements.Add(new HttpTransportBindingElement());

    (some of the values are estimated since I cannot tell by your post which soap version you use or if ssl is applied)

    another gotcha you may run too later is that you need to have ProtectionLevel.SignOnly on your ServiceContract attributes, but this is not related to this question.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, January 29, 2014 4:34 AM
    Moderator
  • What if I have to deal with a Custom XML token and do not want to deal with Certificates for validation. How will I be able to specify the Custom token and how do I define it in the custom binding.
    Wednesday, January 29, 2014 9:54 AM
  • Even If I add x509 certificate in bindings for validation, will it recognize the ValueType defined in the request? It is no where mentioned in the request saying that the validation type is Certificate-based?
    Monday, February 3, 2014 9:05 AM
  • hi sumanth, were you able to solve this issue? would appreciate any help! - thank you!
    Thursday, May 3, 2018 7:39 AM
  • hi amy, your code helps create the request. i think the requirement is to be able to handle such a request in a WCF service. any leads on how the service should handle such a request? what could the WCF config look like? thanks!
    Thursday, May 3, 2018 7:41 AM