Duplicate kerberos2 tokens in subsequent web service requests -- dotnet web services enhancements

dotnet web services enhancements : Duplicate kerberos2 tokens in subsequent web service requests

Julian Jelfs
3/30/2005 2:39:02 AM

Hi,

I have a web page that needs to make three web service requests.

Initially I thought I might be able to create an instance of the proxy, sign
it with a kerberos2 token and then make the three requests. It doesn't like
that presumably because I'm using the same kerberos token for multiple
requests (correct me if I'm wrong).

Then I thought I would use the same proxy instance and just clear the
security tokens between calls and create a new kerberos token and add it. It
seems that when I do this I still get duplicate tokens. By this I mean that
when I look at the output trace, the second request's BinarySecurityToken
element has the same ID as the first.

I even get this problem if I set the variable used to hold the reference to
the proxy class to null and then create a new proxy object between service
calls???

However, if I create three completely seperate instances of the web service
proxy and sign each one seperately with its own kerberos token, all is well
and the IDs of the BinarySecurityToken elements in the subsequent requests
are different.

Can anyone explain what is going on here? I don't really want to have to
create a new instance of the proxy class for each call if I can avoid it
because it has some headers which need setting up and seems like a waste of
code. Why is it that I cannot use the same object and just replace the
kerberos token for each request?

Thanks in advance...

Sidd
3/31/2005 5:12:24 PM

Hi Julian,

1. You cannot reuse the same Kerberos2 token for more than 1 request.
This is because the SSPI layer in Windows has replay detection logic to
prevent you from doing that.
You have to create a new instance of a kerberos token every single
time you want to send a request. Note, this is not the same with other token
types like UsernameToken and X509,
where you can just create one instance and keep resuing that same
token.

2. You do *NOT* have to create a proxy every single time. You can use
the same proxy. However, when you do, please clear the
proxy.RequestSoapContext.Security.Tokens collection
and proxy.RequestSoapContext.Security.Elements collection. If you
don't then the old token remains in these collections.

3. Why do you need separate ID's for the binary security token. The fact
that you are getting the same token id is really wierd, but on the other
hand if they were the same token, since you are
dealing with Kerberos2 you would have received an error. Since
you're not receiving an error, that means that it is a different token.

Please let me know if this still does not answer your questions.

Sidd [MSFT]

[quoted text, click to view]

Dilip Krishnan
4/2/2005 11:05:36 AM

Hello Julian,
Since in the first case you are using the same instance of the proxy
you only need to sign it ONCE. and call the 3 methods just as it is. You
are having duplicate tokens because you are signing the message multiple
times (possibly 3 times). This is because the soap context has multiple MessageSignature
elements in it

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages about dotnet web services enhancements

home · blog · groups

Questions? Comments? Contact the dn