Ok - now my requirements have changed. I need to get specific user
credentials from the client app.
I've implemented a solution using a username token, which is encrypted with
a X509 certificate (the WSE Quickstart cert). It appears to be using to
Windows Integrated security - valid credentials work, invalid credentials
don't. Everything works fine until I associate a custom token manager with
the service (custom token inherits from "SecurityToken" - is this correct?).
Now, I get an error stating "...the security header is not present in the
incoming message...."
The Server policy looks like this:
<policy name="UsernameToken Policy 1">
<usernameForCertificateSecurity establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=WSE2QuickStartServer" findType="FindBySubjectDistinguishedName"
/>
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</usernameForCertificateSecurity>
<requireActionHeader />
</policy>
The "policy name" matches the "policy" attribute on the actual service class.
The client's code to setup the token looks like this:
Dim tkn As New UsernameToken(txtLogin.Text, txtPassword.Text,
PasswordOption.SendPlainText)
Dim oProxy As New TestClient.ws.APIServiceWse
oProxy.SetClientCredential(Of UsernameToken)(tkn)
oProxy.SetPolicy("Test - Username token")
The X509 Certificate can be found in both the "Personal" and "Trusted
People" folders in the Current User Store.
Any suggestions?
"Sid DeLuca" wrote:
Thanks for the reply, Pablo. I'll check the trace logs.
"Pablo Cibraro" wrote:
Hi Sid,
At first glance, I think the client is not sending the right tokens or some
security headers are wrong. Did you check the service trace to see if the
security headers are arriving in the inbound messages ?
Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax
[MVP - Connected Systems Developer]
"Sid DeLuca" <Si*******@discussions.microsoft.comwrote in message
news:09**********************************@microsof t.com...
>I am developing a smart client application that I intend to use role-based
authentication using X509 certificates. That is, each client would have a
certificate that would uniquely identify them, via mapping of the
thumbprint
hash on each certificate with a role.
>
I've got my own class that inherits from the X509SecurityTokenManager.
When
the smart client (Windows App) calls a webmethod, this class is
initialized,
but the AuthenticateToken method is never entered.
>
A call to RequestSoapContext.Current.Security does provide a valid X509
token. The result of the webmethod call throws back my own SOAP exception
because the caller cannot be authenticated.
>
Any suggestions?