dotnet web services enhancements: UserName token Access denied smart client -- dotnet web services enhancements

You're in the

dotnet web services enhancements

group:

UserName token Access denied smart client

Rob Thomson
12/2/2004 10:29:11 PM

dotnet web services enhancements: This is a multi-part message in MIME format.

------=_NextPart_000_0016_01C4D8BE.58DB4F10
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi
Has anyone got any pointers to the following problem Im trying to use =
WSE to pass user credentials to a web service, and Im getting =
404's.....Ive bolded below to help with reading...thanks

(Environment SmartClient, calls proxy calls web service, on VS.NET 2003, =
WSE2, Win2k)

I have a webservice whose anonymous is disabled and allows basic text =
and windows auth. I am validating against local users and groups. Its =
config file contains:

<webServices>
<soapExtensionTypes>
<add type=3D"Microsoft.Web.Services2.WebServicesExtension, =
Microsoft.Web.Services2,Version=3D2.0.0.0, Culture=3Dneutral, =
PublicKeyToken=3D31bf3856ad364e35"
priority=3D"1"=20
group=3D"0"/>
</soapExtensionTypes>
</webServices>

My proxy inherits from =
Microsoft.Web.Services2.WebServicesClientProtocol
When I call the proxy I add:=20
new UsernameToken("username", "password", PasswordOption.SendPlainText =
);
SoapContext requestContext =3D prox.RequestSoapContext;=20
requestContext.Security.Tokens.Add(userToken);

If I set the proxy.Credentials to the current user it works and dont use =
the usertoken I get through, if I user the security token and the proxy =
credentials then I get:

An unhandled exception of type =
'System.Web.Services.Protocols.SoapHeaderException' occurred in =
system.web.services.dll

Additional information: Microsoft.Web.Services2.Security.SecurityFault: =
The security token could not be authenticated or authorized
at =
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.OnLogonUserF=
ailed(UsernameToken token)
at =
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.LogonUser(Us=
ernameToken token)
at =
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.Authenticate=
Token(UsernameToken token)
at =
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.VerifyToken(=
SecurityToken securityToken)
at =
Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.LoadXmlSecur=
ityToken(XmlElement element)
at =
Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.GetTokenFrom=
Xml(XmlElement element)
at Microsoft.Web.Services2.Security.Security.LoadToken(XmlElement =
element, SecurityConfiguration configuration, Int32& tokenCount)
at Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement =
element)
at =
Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapE=
nvelope envelope)
at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope =
envelope)
at =
Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(Soap=
ServerMessage message)

Any pointers as to how to debug this or what Im doing wrong

Thanks

------=_NextPart_000_0016_01C4D8BE.58DB4F10
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1479" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2>Hi</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Has anyone got any pointers to the =
following=20
problem Im trying to use WSE to pass user credentials to a web service, =
and Im=20
getting 404's.....Ive bolded below to help with =
reading...thanks</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>(Environment SmartClient, calls proxy =
calls web=20
service, on VS.NET 2003, WSE2, Win2k)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><STRONG>I have a webservice whose =
anonymous is=20
disabled and allows basic text and windows auth. I am validating against =
local=20
users and groups. Its config file contains:</STRONG></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> =20
<webServices><BR>        =20
<soapExtensionTypes><BR>       &=
nbsp;   =20
<add type=3D"Microsoft.Web.Services2.WebServicesExtension,=20
Microsoft.Web.Services2,Version=3D2.0.0.0, Culture=3Dneutral,=20
PublicKeyToken=3D31bf3856ad364e35"<BR>     &nbsp=
;            =
=20
priority=3D"1"=20
<BR>           &nb=
sp;      =20
group=3D"0"/><BR>        =20
</soapExtensionTypes><BR>     =20
</webServices></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><STRONG>My proxy inherits from =20
Microsoft.Web.Services2.WebServicesClientProtocol</STRONG><BR><STRONG>Whe=
n I=20
call the proxy I add: <BR></STRONG>new UsernameToken("username", =
"password",=20
PasswordOption.SendPlainText );<BR>SoapContext requestContext =3D=20
prox.RequestSoapContext;=20
<BR>requestContext.Security.Tokens.Add(userToken);</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><STRONG>If I set the proxy.Credentials =
to the=20
current user it works and dont use the usertoken I get through, if I =
user the=20
security token and the proxy credentials then I =
get:</STRONG></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>An unhandled exception of type=20
'System.Web.Services.Protocols.SoapHeaderException' occurred in=20
system.web.services.dll</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Additional information:=20
Microsoft.Web.Services2.Security.SecurityFault: The security token could =
not be=20
authenticated or authorized<BR>   at=20
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.OnLogonUserF=
ailed(UsernameToken=20
token)<BR>   at=20
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.LogonUser(Us=
ernameToken=20
token)<BR>   at=20
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.Authenticate=
Token(UsernameToken=20
token)<BR>   at=20
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.VerifyToken(=
SecurityToken=20
securityToken)<BR>   at=20
Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.LoadXmlSecur=
ityToken(XmlElement=20
element)<BR>   at=20

RE: UserName token Access denied smart client

danro NO[at]SPAM microsoft.com
12/3/2004 3:41:18 AM

------=_NextPart_0001_CEC334AC
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi Rob,

I think what is happening is that you are trying to get a WSE username
token security to interop with basic authentication. This is not going to
automatically work. Basic Auth and Windows Auth both rely on existing HTTP
request mechanisms to let IIS authenticate the user credentials supplied
against the servers AD store or local security hive. WSE username token
authentication is an application level authentication mechanism that
requires WSE 2.0 to participate on both sides - both in the client, in in
your application's service code. Username Tokens are not authenticated
automatically, and require that the service participate in looking up the
credentials in a private database - not related to windows. If the
credentials match, you tell WSE that they do match by giving the WSE
infrastructure on the service side the plain text password for the
credential passed. WSE then compares the two, and if they match, the
method call is made.

Please see the examples for WSE 2.0 username token authentication that ship
with WSE 2.0 SP1. These should help you.

I hope this helps

Dan Rogers
Microsoft Corporation
--------------------
From: "Rob Thomson" <new@rjtt64.plus.com>
Subject: UserName token Access denied smart client
Date: Thu, 2 Dec 2004 22:29:11 -0000
Lines: 193
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0016_01C4D8BE.58DB4F10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <#wSOU6L2EHA.1264@TK2MSFTNGP12.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: rjtt64.plus.com 80.229.24.151
Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
.phx.gbl
Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:5012
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Hi
Has anyone got any pointers to the following problem Im trying to use WSE
to pass user credentials to a web service, and Im getting 404's.....Ive
bolded below to help with reading...thanks
(Environment SmartClient, calls proxy calls web service, on VS.NET 2003,
WSE2, Win2k)
I have a webservice whose anonymous is disabled and allows basic text and
windows auth. I am validating against local users and groups. Its config
file contains:
<webServices>
<soapExtensionTypes>
<add type="Microsoft.Web.Services2.WebServicesExtension,
Microsoft.Web.Services2,Version=2.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35"
priority="1"
group="0"/>
</soapExtensionTypes>
</webServices>
My proxy inherits from Microsoft.Web.Services2.WebServicesClientProtocol
When I call the proxy I add:
new UsernameToken("username", "password", PasswordOption.SendPlainText );
SoapContext requestContext = prox.RequestSoapContext;
requestContext.Security.Tokens.Add(userToken);
If I set the proxy.Credentials to the current user it works and dont use
the usertoken I get through, if I user the security token and the proxy
credentials then I get:
An unhandled exception of type
'System.Web.Services.Protocols.SoapHeaderException' occurred in
system.web.services.dll
Additional information: Microsoft.Web.Services2.Security.SecurityFault: The
security token could not be authenticated or authorized
at
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.OnLogonUserFail
ed(UsernameToken token)
at
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.LogonUser(Usern
ameToken token)
at
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.AuthenticateTok
en(UsernameToken token)
at
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.VerifyToken(Sec
urityToken securityToken)
at
Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.LoadXmlSecurity
Token(XmlElement element)
at
Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.GetTokenFromXml
(XmlElement element)
at Microsoft.Web.Services2.Security.Security.LoadToken(XmlElement
element, SecurityConfiguration configuration, Int32& tokenCount)
at Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement element)
at
Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapEnve
lope envelope)
at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)
at
Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapSer
verMessage message)
Any pointers as to how to debug this or what Im doing wrong
Thanks

------=_NextPart_0001_CEC334AC
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\f0\fs20 Hi Rob,
\par
\par I think what is happening is that you are trying to get a WSE username token security to interop with basic authentication. This is not going to automatically work. Basic Auth and Windows Auth both rely on existing HTTP request mechanisms to let IIS authenticate the user credentials supplied against the servers AD store or local security hive. WSE username token authentication is an application level authentication mechanism that requires WSE 2.0 to participate on both sides - both in the client, in in your application's service code. Username Tokens are not authenticated automatically, and require that the service participate in looking up the credentials in a private database - not related to windows. If the credentials match, you tell WSE that they do match by giving the WSE infrastructure on the service side the plain text password for the credential passed. WSE then compares the two, and if they match, the method call is made.
\par
\par Please see the examples for WSE 2.0 username token authentication that ship with WSE 2.0 SP1. These should help you.
\par
\par I hope this helps
\par
\par Dan Rogers
\par Microsoft Corporation
\par \pard\li720 --------------------
\par From: "Rob Thomson" <new@rjtt64.plus.com>
\par Subject: UserName token Access denied smart client
\par Date: Thu, 2 Dec 2004 22:29:11 -0000
\par Lines: 193
\par MIME-Version: 1.0
\par Content-Type: multipart/alternative;
\par \tab boundary="----=_NextPart_000_0016_01C4D8BE.58DB4F10"
\par X-Priority: 3
\par X-MSMail-Priority: Normal
\par X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
\par X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
\par Message-ID: <#wSOU6L2EHA.1264@TK2MSFTNGP12.phx.gbl>
\par Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par NNTP-Posting-Host: rjtt64.plus.com 80.229.24.151

Re: UserName token Access denied smart client

Dilip Krishnan
12/3/2004 7:05:41 AM

Hello Rob,
Theres two aspects to what you're trying to do
1. Transport level authentication
2. Web service authentication.

The situation which you described as a working version is the transport level
authentication. WSE provides default windows authenication using username
token manager. May be you could try adding the domain qualified username
to the token manager i.e. DOMAIN\user

Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages in the dotnet web services enhancements group.

home · blog · groups

Questions? Comments? Contact the dn