|
|
You're in the
dotnet web services enhancements
group:WS Secure Conversation -UsernameToken Encryption- PLEASE PLEASE HELP ME-Very urgent
dotnet web services enhancements:
Please help me solve this problem.. This is very urgent, i have to demo it tommorrow and need to fix it before tomorrow.. I am using WS Secure Conversation and am using a USername Token to sign the request for a initial request from the client to tokenissuer for securitycontexttoken. I would like to encrypt the UsernameToken before sending it across. My code patch is as below: SecurityToken token = new UsernameToken(t_username.Text, t_password.Text, PasswordOption.SendPlainText); // Create a SecurityContextTokenServiceClient that will get the SecurityContextToken string secureConvEndpoint = ConfigurationSettings.AppSettings["tokenIssuer"]; SecurityContextTokenServiceClient client = new SecurityContextTokenServiceClient(new Uri( secureConvEndpoint )); // retrieve server's cert SecurityToken issuerToken = GetServerTokenForEncryption(); // Sign the security token request. client.RequestSoapContext.Security.Elements.Add( new EncryptedData( issuerToken, string.Format("#{0}",token.Id )) ); // Request the token, use the signing token as the Base SecurityContextToken sct = client.IssueSecurityContextTokenAuthenticated(token, issuerToken); But somehow I am not able to access the RequestSoapContext of the client proxy. It gives me error: 'Microsoft.Web.Services2.Security.SecurityTokenServiceClient.RequestSoapContext' is inaccessible due to its protection level I cannot send the password as hashed because I am authenticating against ADAM hence password has to go as plain text. Can someone tell me how I can access the RequestSoapConext of the proxy so that I can encrypt the usernametoken that is carried in the SOAP Header to the token issuer. Please help me.. I have an urgent demonstration to show tommorrow and need to get it work. PLEASE PLEASE HELP ME... Regards,
Hi Sumaira,
I had this problem two months ago when I prepared a presentation also. It seems that WSE is unable to encrypt the UsernameToken in this version. As Hervey pointed out there will be progress in this area in WSE SP2 which we expect to be available very soon. I hope your demo went smooth though. Best regards, Martin Kulov www.codeattest.com
Martin,
Thanks for replying. So how did u plan to go about sending the password or UsernameToken in encrypted/hashed form??? Did u find a solution to it.or did u have a workaround?? Please let me know.. I haven't been able to figure out what to do..I would really appreciate your reply.. Thanks, Sumaira [quoted text, click to view] Martin Kulov <kulov@bezbokluk.abv.bg> wrote in message news:<#t8Y1HizEHA.2012@TK2MSFTNGP15.phx.gbl>...
> Hi Sumaira, > > I had this problem two months ago when I prepared a presentation also. It seems that WSE is unable to encrypt the UsernameToken in this version. As Hervey pointed out there will be progress in this area in WSE SP2 which we expect to be available very soon. I hope your demo went smooth though. > > Best regards, > > Martin Kulov
Hi Sumaira,
Well I have not found a solution yet. I just gave my presentation and said them 'it is really nice to use UsernameToken, but for now, as you see, it requires SSL for the initiating the conversation. Go now and start using it and by the time you are prepared there will be solution for encrypting the token.' :). That's it. HTH, Martin Kulov www.codeattest.com
1) You can send the password in hash or encrypted form via the
passwordoption enum 2) You can also send the usernametoken in encrypted form as well. http://www.softwaremaker.net/blog/PermaLink,guid,43d85031-3e0b-48a7-bdd7-1f49932db40a.aspx hth. -- Thank you. Regards, Softwaremaker ================================== [quoted text, click to view] "Sumaira Ahmad" <sumaira.ahmad@gmail.com> wrote in message It seems that WSE is unable to encrypt the UsernameToken in this version. Asnews:1627c5ae.0411191030.792c2de@posting.google.com... > Martin, > > Thanks for replying. So how did u plan to go about sending the > password or UsernameToken in encrypted/hashed form??? Did u find a > solution to it.or did u have a workaround?? > Please let me know.. I haven't been able to figure out what to do..I > would really appreciate your reply.. > Thanks, > Sumaira > > Martin Kulov <kulov@bezbokluk.abv.bg> wrote in message news:<#t8Y1HizEHA.2012@TK2MSFTNGP15.phx.gbl>... > > Hi Sumaira, > > > > I had this problem two months ago when I prepared a presentation also. Hervey pointed out there will be progress in this area in WSE SP2 which we expect to be available very soon. I hope your demo went smooth though. [quoted text, click to view]
[quoted text, click to view]
> encrypted form via the passwordoption enum What is this enum value? Martin Kulov www.codeattest.com
Hello,
[quoted text, click to view] > http://www.softwaremaker.net/blog/PermaLink,guid,43d85031-3e0b-48a7-bdd7-1f49932db40a.aspx> 2) You can also send the usernametoken in encrypted form as well. > The problem with this approach is that the server must have a certificate. While the certificate itself is not a problem for me, the circumstance that the client program must know the public key of that certificate is certainly one. And hardcoding the public key into the client is not an option for me. What I would like to do is the following: 1. Client requests the server public key from a special webservice on the server. 2. Client encrypts the Usernametoken with the servers public key and signs it with its own private key. 3. The Server creates a security token and encrypts it with the clients public key. 4. The client uses this security token to call the webservice. After step 2, both actors have exchanged each public keys, thus they can protect the entire comunication. I would create the key-pairs on each application start. Ideally this would be implemented with WS-SecureConversation. A propos WS-SecureConversation. Does WSE implement some sort of sequence-numbering in WS-SC? I only saw a relative short ticket-lifetime as replay detection, whereas the WS-SC specification mentions sequence numbering. So, is that even possible and what must I do to asymetrically encrypt the SecurityContextToken with my own public/private keypair? Greetings, Henning Krause [MVP] [quoted text, click to view] > > > "Sumaira Ahmad" <sumaira.ahmad@gmail.com> wrote in message > news:1627c5ae.0411191030.792c2de@posting.google.com... > > Martin, > > > > Thanks for replying. So how did u plan to go about sending the > > password or UsernameToken in encrypted/hashed form??? Did u find a > > solution to it.or did u have a workaround?? > > Please let me know.. I haven't been able to figure out what to do..I > > would really appreciate your reply.. > > Thanks, > > Sumaira > > > > Martin Kulov <kulov@bezbokluk.abv.bg> wrote in message > news:<#t8Y1HizEHA.2012@TK2MSFTNGP15.phx.gbl>... > > > Hi Sumaira, > > > > > > I had this problem two months ago when I prepared a presentation also. > It seems that WSE is unable to encrypt the UsernameToken in this version. As > Hervey pointed out there will be progress in this area in WSE SP2 which we > expect to be available very soon. I hope your demo went smooth though. > > > > > > Best regards, > > > > > > Martin Kulov > > > www.codeattest.com > >
Hello,
this enumeration allows you to specify how the password is sent over the wire: Either in cleartext or a hashed version or not sent at all. If you are using the first option (Unencrypted) you shuld secure the password otherwise, i.e. with SSL/TLS or an X.509 certificate. Greetings, Henning Krause [MVP] ========================== Visit my website: http://www.infinitec.de Try my free Exchange Explorer: Mistaya (http://www.infinitec.de/?page=products) [quoted text, click to view] "Martin Kulov" <kulov@bezbokluk.abv.bg> wrote in message news:Ogp98z#zEHA.2636@TK2MSFTNGP11.phx.gbl... > > encrypted form via the passwordoption enum > > What is this enum value? > > > Martin Kulov > www.codeattest.com >
Hi Henning,
I am aware that there is enumeration for setting password in clear text or hashed value. I did not understand what is its value for sending it in encrypted form. [quoted text, click to view] Softwaremaker wrote: 1) You can send the password in hash or encrypted form via the passwordoption enumSo what is the value of the enum for sending the password in encrypted form. Thanks, Martin Kulov www.codeattest.com
Hello,
you can't. That enumeration has the three values I outlined before: None, Hashed, Plaintext. If you want to encrypt it, you must encrypt the usertoken with an X.509 Certificate or similar. Greetings, Henning Krause [MVP] ========================== Visit my website: http://www.infinitec.de Try my free Exchange Explorer: Mistaya (http://www.infinitec.de/?page=products) [quoted text, click to view] "Martin Kulov" <kulov@bezbokluk.abv.bg> wrote in message hashed value. I did not understand what is its value for sending it innews:ukilBeG0EHA.824@TK2MSFTNGP11.phx.gbl... > Hi Henning, > > I am aware that there is enumeration for setting password in clear text or encrypted form. [quoted text, click to view] > > Softwaremaker wrote: > 1) You can send the password in hash or encrypted form via the passwordoption enum > > So what is the value of the enum for sending the password in encrypted form. > > Thanks, > Martin Kulov > www.codeattest.com >
The problem with WS secure conversation is this:
When u want to send the password as PlainText( because u are authenticating against Active Directory or SQL that requires plainText Password option), there is no way of encrypting the Username token. In Normal scenario if you want to send the password in Plain Text, you encrypt the username token as follows: EncryptedData encrypted = new EncryptedData(encrToken, usernameToken.Id) proxy.RequestSoapContext.Elements.Add(encrypted) But in Secure Conversation there is a bug( according to me). See code below // Create a SecurityContextTokenServiceClient that will get the SecurityContextToken string secureConvEndpoint = ConfigurationSettings.AppSettings["tokenIssuer"]; SecurityContextTokenServiceClient client = new SecurityContextTokenServiceClient(new Uri( secureConvEndpoint )); Now ideally you should be able to do this: client.RequestSoapContext.Security.Elements.Add( new EncryptedData( issuerToken, string.Format("#{0}",usernameToken.Id )) ); But when I do this, it says: that the RequestSoapContext of client is a protected member and hence cannot be accessed. Now the next option would be to encrypt ONLY the password using X.509 certs or whatever and add it to the UsernameToken. and send the UsernameToken as it is.Then on the server it should decrypt it.. Is that possible???I haven't tried it yet.. Can u suggest a workaround ( other not SSL).. Please let me know..I have spent God knows how many days trying to find a solution to it.. Thanks, Sumaira [quoted text, click to view] in "Henning Krause [MVP]" <newsgroup.no@spam.infinitec.de> wrote in message news:<e3nIvfH0EHA.1860@TK2MSFTNGP15.phx.gbl>...
> Hello, > > you can't. That enumeration has the three values I outlined before: None, > Hashed, Plaintext. > > If you want to encrypt it, you must encrypt the usertoken with an X.509 > Certificate or similar. > > Greetings, > Henning Krause [MVP] > ========================== > Visit my website: http://www.infinitec.de > Try my free Exchange Explorer: Mistaya > (http://www.infinitec.de/?page=products) > > > "Martin Kulov" <kulov@bezbokluk.abv.bg> wrote in message > news:ukilBeG0EHA.824@TK2MSFTNGP11.phx.gbl... > > Hi Henning, > > > > I am aware that there is enumeration for setting password in clear text or > hashed value. I did not understand what is its value for sending it in > encrypted form. > > > > Softwaremaker wrote: > > 1) You can send the password in hash or encrypted form via the > passwordoption enum > > > > So what is the value of the enum for sending the password in encrypted > form. > > > > Thanks, > > Martin Kulov > > www.codeattest.com
All examples on WSE Secure Conversation, wherein we have to use a
token issuer shows u can access the RequestSoapContext for a SecuritTokenServiceClient Proxy, but as per http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wseref/html/P_Microsoft_Web_Services2_Security_SecurityTokenServiceClient_RequestSoapContext.asp it is a protected member?? Sorry if this is a foolish question , but is there anyway of changing its property to public from protected?? Thanks, Sumaira [quoted text, click to view] "Henning Krause [MVP]" <newsgroup.no@spam.infinitec.de> wrote in message news:<e3nIvfH0EHA.1860@TK2MSFTNGP15.phx.gbl>...
> Hello, > > you can't. That enumeration has the three values I outlined before: None, > Hashed, Plaintext. > > If you want to encrypt it, you must encrypt the usertoken with an X.509 > Certificate or similar. > > Greetings, > Henning Krause [MVP] > ========================== > Visit my website: http://www.infinitec.de > Try my free Exchange Explorer: Mistaya > (http://www.infinitec.de/?page=products) > > > "Martin Kulov" <kulov@bezbokluk.abv.bg> wrote in message > news:ukilBeG0EHA.824@TK2MSFTNGP11.phx.gbl... > > Hi Henning, > > > > I am aware that there is enumeration for setting password in clear text or > hashed value. I did not understand what is its value for sending it in > encrypted form. > > > > Softwaremaker wrote: > > 1) You can send the password in hash or encrypted form via the > passwordoption enum > > > > So what is the value of the enum for sending the password in encrypted > form. > > > > Thanks, > > Martin Kulov > > www.codeattest.com
Sorry, my mistake. I meant hash, plain text or no-show password. I wonder
how the word encrypted got in there....hmmm... Thanks. ================================================= [quoted text, click to view] "Softwaremaker" <msdn@removethis.softwaremaker.net> wrote in message news:eCP$KB2zEHA.4004@tk2msftngp13.phx.gbl... > 1) You can send the password in hash or encrypted form via the > passwordoption enum > > 2) You can also send the usernametoken in encrypted form as well. > http://www.softwaremaker.net/blog/PermaLink,guid,43d85031-3e0b-48a7-bdd7-1f49932db40a.aspx > > hth. > -- > Thank you. > > Regards, > Softwaremaker > > ================================== > > > "Sumaira Ahmad" <sumaira.ahmad@gmail.com> wrote in message > news:1627c5ae.0411191030.792c2de@posting.google.com... > > Martin, > > > > Thanks for replying. So how did u plan to go about sending the > > password or UsernameToken in encrypted/hashed form??? Did u find a > > solution to it.or did u have a workaround?? > > Please let me know.. I haven't been able to figure out what to do..I > > would really appreciate your reply.. > > Thanks, > > Sumaira > > > > Martin Kulov <kulov@bezbokluk.abv.bg> wrote in message > news:<#t8Y1HizEHA.2012@TK2MSFTNGP15.phx.gbl>... > > > Hi Sumaira, > > > > > > I had this problem two months ago when I prepared a presentation also. > It seems that WSE is unable to encrypt the UsernameToken in this version. As > Hervey pointed out there will be progress in this area in WSE SP2 which we > expect to be available very soon. I hope your demo went smooth though. > > > > > > Best regards, > > > > > > Martin Kulov > > > www.codeattest.com > >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |