When using the usernameForCertificateAssertion do I need to encrypt the soap
header or body or both to ensure that the username and password is not
unencrypted over the wire?

Thank You in advance.

Hi Mark,

The UsernameForCertificateAssertion always encrypts the UsernameToken (User
+ password) for you. I mean, you do not need to specify any special setting.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax


[quoted text, click to view]

Hi Mark,

As Pablo has mentioned, when you have applied the UsernameForCertificate
policy assertion, by default the assertion will encrypt the SOAP message's
body and those certain SOAP header which include security data(the
WSE:security header....). And you do not need to manually do the encrypting
work. And it is when you use some Transport layer secure channel that do
you need to manually do the secure work. For example, if you're using
usernameOverTransport policy assertion, the assertion won't secure the SOAP
message and the token embeded in the message, you need to secure it by
using some secure transport channel like HTTPS/SSL.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================