Niels Flensted-Jensen <Niels Flensted-Jensen@discussions.microsoft.com> wrote in message news:<48E21F8B-3CC5-438E-99E9-56094A69B48F@microsoft.com>...
> Hi Sumaira,
>
> I'm actually working the same problem, and it seems the only solution
> requires you to transfer the password in clear text in the SOAP message from
> the client to the server. This is due to the fact that you cannot - by design
> - retrieve the password of a user from ADAM.
>
> But here are steps that will let you authenticate a user against ADAM:
>
> 1. Add the user to ADAM, set the password and add the user to at least the
> Readers group. The user is now ready to be authenticated.
>
> 2. On your server, set up an appropriate policy and and register your own
> 'securityTokenManager' derived from UserNameTokenManager:
> <microsoft.web.services2>
> <security>
> <securityTokenManager type="Blabla.Security.AuthenticationManager,
> Bla.Bla.Security"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" qname="wsse:UsernameToken" />
> </security>
> <policy>
> <cache name="x:\blabla\Security\Policies\ServerPolicy.config" />
> </policy>
> </microsoft.web.services2>
>
> The policy should include something like:
> <wssp:TokenInfo>
> <SecurityToken xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext">
>
> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType>
> <wssp:Claims>
> <wssp:UsePassword Type="wssp:PasswordText" wsp:Usage="wsp:Required" />
> </wssp:Claims>
> </SecurityToken>
> </wssp:TokenInfo>
>
> 3. Implement the class derived from UsernameTokenManager and override the
> 'AuthenticateToken' method to do something similar to the following.
> protected override string AuthenticateToken( UsernameToken token )
> {
> string password = "invalidPassword";
> try
> {
> DirectoryEntry authEntry = new DirectoryEntry(
> "LDAP://localhost:389/OU=ADAM users,O=MyCompany,C=US",
> token.Username, // must be the distinguished name
> token.Password,
> AuthenticationTypes.None );
> authEntry.RefreshCache(); // Binding - this is where the actual
> authentication takes place
> password = token.Password;
> }
> catch
> {
> // authentication failed
> }
> return password;
> }
>
> 4. That basically does it. WSE will now compare the password you digged out
> (of the token, or a dummy password if authentication failed) with the
> password sent in the SOAP message. If the passwords match you're in -
> otherwise a Fault message is sent back.
>
> This approach seems a little counter to the intention of the
> UsernameTokenManager - we basically do the authentication ourselves and cheat
> the base class (UsernameTokenManager) into believing it still has a word in
> authentication. And as we base the implementation on access to the clear
> text of the password in the SOAP header, hashing the password in the message
> is not possible.
>
> So does anyone know a better way?
>
> Thanks,
>
> Niels
>
> "Sumaira Ahmad" wrote:
>
> > Thank you so much for your reply. But I am a little confused.
> > Actually I am running ADAM and ASP.NET on Win XP Pro, with no domains
> > on it. My windows account belongs to a workgroup.
> > When I am authenticating UsernameToken against my Windows account, it
> > works fine and I use the Default UsernameToken manager.
> >
> > Now I have created an ADAM User such as:
> > CN=Mary Baker,OU=ADAM users,O=MyCompany,C=US
> > and have set some password for it..I want this user to be
> > authenticated and then be able to access web services.
> >
> > Now do I need to do some addiitonal stuff to do to log this account so
> > that WSE can do a search with this account.I dont understand how it
> > works.
> >
> > Also at the user interface what should I provide for the above user's
> > username and password so that WSE can do a match with the all ADAM
> > user accounts created and authenticate accordingly.
> >
> > Can you please throw some light on it, starting with steps to be
> > followed after creating an ADAM User..I dont think my ADAM users
> > belong to any domain, as I said I have no domains set up..
> > Do I have to specify some log on locally option for this user?I was
> > reading it somewhere. But dont know how to do it.
> >
> > Please, any help or pointers would be highly appreciated..
> > Thanks,
> > Sumaira
> >
> > "Hervey Wilson [MSFT]" <herveyw.nospam@nospam.microsoft.com> wrote in message news:<e6AD8B3pEHA.3716@TK2MSFTNGP10.phx.gbl>...
> > > Sumaira Ahmad wrote:
> > > > Hi,
> > > >
> > > > Can anyone please tell me how to authenticate a Username Token against
> > > > Active Directory. Could not find much information on the web too.
> > > > Thanks,
> > > > Sumaira Ahmad
> > >
> > > The default UsernameTokenManager in WSE2 performs a LogonUser call to
> > > Windows to authenticate the userid in the token. This uses Active
> > > Directory in a domain environment.