How to: Sign a SOAP Message By Using a Kerberos Ticket

The following procedure details how to use a custom policy assertion to digitally sign a SOAP message using a Kerberos ticket. The <kerberosSecurity> Element turnkey security assertion provides support for digitally signing and encrypting SOAP messages by using Kerberos tickets, so it is unnecessary to create a custom policy assertion unless additional functionality is needed.

To use code to sign a SOAP message by using a Kerberos ticket

1. Open the Web service client project in Microsoft® Visual Studio® 2005.

2. Add references to the Microsoft.Web.Services3, System.Web.Services, and System.Security assemblies.

   1. On the Project menu, click Add Reference.
   2. Click the .NET tab, select Microsoft.Web.Services3.dll, and then click Select.
   3. On the .NET tab, select System.Web.Services.dll, and then click Select.
   4. On the .NET tab, select System.Security.dll, and then click Select.
   5. Click OK.

3. Create a custom policy assertion.

   For more details about creating custom policy assertions, see How to: Create a Custom Policy Assertion that Secures SOAP Messages.

4. In the output SOAP filter for the client or the Web service, override the SecureMessage method.

   The following code example overrides the SecureMessage method for the client output SOAP filter.

   Public Overrides Sub SecureMessage(ByVal envelope As SoapEnvelope, ByVal security As Security)
   

   public override void SecureMessage(SoapEnvelope envelope, Security security)
   {
   

5. Add the Imports or using directives to the top of the file that communicates with the Web service.

   1. At the top of the file, add the directives as shown in the following code example.

      Imports System
      Imports System.Collections.Generic
      Imports System.Text
      Imports System.Xml
      Imports System.Security.Cryptography.X509Certificates
      
      Imports Microsoft.Web.Services3
      Imports Microsoft.Web.Services3.Design
      Imports Microsoft.Web.Services3.Security
      Imports Microsoft.Web.Services3.Security.Tokens
      

      using System;
      using System.Collections.Generic;
      using System.Text;
      using System.Security.Cryptography.X509Certificates;
      
      using Microsoft.Web.Services3;
      using Microsoft.Web.Services3.Design;
      using Microsoft.Web.Services3.Security;
      using Microsoft.Web.Services3.Security.Tokens;
      

6. In the SecureMessage method, add code to create a KerberosToken security token.

   The hostname variable is the name of the computer hosting the target Web service, and the dnsDomainName variable is the Kerberos realm that the host is a member of. The Kerberos realm is needed only when the SOAP message sender resides in a different domain or realm from the target Web service.

   Dim kerbToken As KerberosToken = _
       New KerberosToken("host/" + hostname & _
       "@" & domainName)
   

   KerberosToken kerbToken = new KerberosToken("host/" + hostname +
       "@" + domainName);
   

7. Add the KerberosToken security token to the WS-Security SOAP header.

   security.Tokens.Add(kerbToken)
   

   security.Tokens.Add(kerbToken);
   

8. Create a new instance of the MessageSignature class by using the KerberosToken security token just added to the WS-Security SOAP header.

   For information about signing portions of the SOAP message other than the defaults, see Signing Custom SOAP Headers.

   Dim sig As New MessageSignature(kerbToken)
   

   MessageSignature sig = new MessageSignature(kerbToken);
   

9. Add the digital signature to the WS-Security SOAP header.

   security.Elements.Add(sig)
   

   security.Elements.Add(sig);
   

Example

The following code example creates a new KerberosToken security token, and then signs a SOAP request by using the token.

Imports System
Imports System.Collections.Generic
Imports System.Text
Imports System.Xml
Imports System.Security.Cryptography.X509Certificates

Imports Microsoft.Web.Services3
Imports Microsoft.Web.Services3.Design
Imports Microsoft.Web.Services3.Security
Imports Microsoft.Web.Services3.Security.Tokens

    
    
    ...
    
    
            Public Overrides Sub SecureMessage(ByVal envelope As SoapEnvelope, ByVal security As Security)
            Dim kerbToken As KerberosToken = _
                New KerberosToken("host/" + hostname & _
                "@" & domainName)

            ' Add the security token.                
            security.Tokens.Add(kerbToken)

            ' Specify the security token to sign the message with.
            Dim sig As New MessageSignature(kerbToken)
            security.Elements.Add(sig)
        End Sub

using System;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography.X509Certificates;

using Microsoft.Web.Services3;
using Microsoft.Web.Services3.Design;
using Microsoft.Web.Services3.Security;
using Microsoft.Web.Services3.Security.Tokens;

    
    
    ...
    
    
            public override void SecureMessage(SoapEnvelope envelope, Security security)
        {
            KerberosToken kerbToken = new KerberosToken("host/" + hostname +
                "@" + domainName);

            // Add the security token.                
            security.Tokens.Add(kerbToken);

            // Specify the security token to sign the message with.
            MessageSignature sig = new MessageSignature(kerbToken);

            security.Elements.Add(sig);
        }

See Also

Tasks

How to: Verify Digital Signatures of SOAP Messages Signed Using a Kerberos Ticket

Reference

<kerberosSecurity> Element
KerberosToken

Other Resources

Kerberos Ticket
Signing Custom SOAP Headers
Brokered Authentication – Kerberos
Kerberos Technical Supplement for Windows