Kerberos Ticket
Web Services Enhancements for Microsoft .NET (WSE) supports signing and encrypting SOAP messages by using Kerberos version 5 protocol security tokens. Kerberos security tokens are binary security tokens. This binary data is a service ticket as described in RFC 1510, " HYPERLINK "http://www.ietf.org/rfc/rfc1510.txt" The Kerberos Network Authentication Service (V5)."
The Kerberos protocol is used to mutually authenticate users and services on an open and unsecured network. It allows services to correctly identify the user of a Kerberos ticket without having to authenticate the user at the service. It does this by using shared secret keys.
The Kerberos protocol uses shared secret keys to encrypt and sign users' credentials. A client is authenticated by a Kerberos Key Distribution Center (KDC). After that authentication, the user can request a service ticket to access a specific service on the network. This ticket includes the encrypted authenticated identity of the user.
Kerberos tokens work on computers with Windows Server 2003 or later or Windows XP with Service Pack 1 or later installed. Windows 2000 is not a supported operating system for this feature. When you are running your application on Windows XP, the ASPNET account requires a high-security permission. There are two ways to grant this high-security permission to the ASPNET account:
- Grant the ASPNET account the Act as Part of the Operating System permission by using the Local Security Settings administrative tool, and then restart the system.
- Set the userName attribute of the <processModel> element in the Machine.config file to "system", and then reset IIS.
To use the Kerberos feature of WSE, your application and the service you access must be running on computers joined to a Kerberos realm. To use Kerberos tickets with clients that are not part of the service's Kerberos realm, you must create a security token service to issue service tickets. For information about creating a security token service that issues custom security tokens, see How to: Create a Class Representing a Custom Security Token Service.
Note
You can also sign or encrypt a message with a KerberosToken security token by using send-side policy. With send-side policy, a SOAP sender creates an instance of a KerberosToken security token and places it in the PolicyEnforcementSecurityTokenCachestore. For information on how to use send-side policy, see Configuring a Web Service's Policy.
In This Section
- How to: Sign a SOAP Message By Using a Kerberos Ticket
Details how to use policy or code to digitally sign a SOAP message by using a Kerberos ticket.
- How to: Verify Digital Signatures of SOAP Messages Signed Using a Kerberos Ticket
Details how to have WSE verify digital signatures that use a Kerberos ticket and how to use policy or code to require that SOAP messages be digitally signed using a Kerberos ticket.
- How to: Encrypt a SOAP Message By Using a Kerberos Ticket
Details how to use policy and code to encrypt a SOAP message by using a Kerberos ticket.
- How to: Decrypt a SOAP Message Encrypted Using a Kerberos Ticket
Details how to have WSE decrypt SOAP message encrypted using a Kerberos ticket and how to use policy or code to require that SOAP messages be encrypted using a Kerberos ticket.
- How to: Authorize the Message Sender Based on a Kerberos Ticket
Details how to use policy or code to authorize access to a Web service based on a Kerberos security token included in a SOAP message.