Message Security usage

04-02-2008

Hi There,

I have a scenario where in , i need to use wsHttpBinding binding ,
so the default is message security and client credential type is
Windows . my service app.config looks like this :

<system.serviceModel>
<bindings />
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior">
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="NewBehavior"
name="SampleService.Service">
<endpoint address="SampleService"
binding="wsHttpBinding" bindingConfiguration=""
contract="SampleService.IService" />
<endpoint address="Mex" binding="mexHttpBinding"
bindingConfiguration=""
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:2000/" />
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>

and now when i generate the proxy and clients app.config , app.config
of client is shown below

<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService"
closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:2000/SampleService"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IService"
contract="SampleClient.ServiceReference.IService"
name="WSHttpBinding_IService">
</endpoint>
</client>
</system.serviceModel>

NOW , the question is when the security mode is " Message " , what is
the reason behind having transport tags and configuring it to
windows .

could anybody throw some light on it.

Thanks in Advance

04-02-2008

HI There,

my scenerio:

Client : winform client , the client should prompt a LOGIN form

service : WCF with WSHTTPBINDING ( i am planning to use "message"
Security mode, with windows as client credentials)

Deployment scenerio :

1. only users with windows account are authenticated.
2. may or may not have domain controllers (all m/c may be in
workgroup)

given the above , i am slightly confussed on how to get a common
config settings for point 2.

Could anybody suggest .

Thanks in Advance

04-02-2008

If security is set to Message, the transport tag is ignored. However, if the
security is set to TransportWithMessageCredential, both tags are used. Why?
Encrytion and Signature is done at transport (HTTP) and credentials travel
through the rich WS-Security/WS-Trust/WS-Policy model with Security Tokens
of your choosing like SAML, Kerberos, Username, X.509.

Tiago Halm

"DEE" <tsdeepak@xxxxxx> wrote in message
news:c2ac321a-a13a-4d55-a34b-5fa646e1b60c@xxxxxx

	Quote:
	> Hi There, > > I have a scenario where in , i need to use wsHttpBinding binding , > so the default is message security and client credential type is > Windows . my service app.config looks like this : > > <system.serviceModel> > <bindings /> > <behaviors> > <serviceBehaviors> > <behavior name="NewBehavior"> > <serviceMetadata httpGetEnabled="true" /> > </behavior> > </serviceBehaviors> > </behaviors> > <services> > <service behaviorConfiguration="NewBehavior" > name="SampleService.Service"> > <endpoint address="SampleService" > binding="wsHttpBinding" bindingConfiguration="" > contract="SampleService.IService" /> > <endpoint address="Mex" binding="mexHttpBinding" > bindingConfiguration="" > contract="IMetadataExchange" /> > <host> > <baseAddresses> > <add baseAddress="http://localhost:2000/" /> > </baseAddresses> > </host> > </service> > </services> > </system.serviceModel> > > > and now when i generate the proxy and clients app.config , app.config > of client is shown below > > > <system.serviceModel> > <bindings> > <wsHttpBinding> > <binding name="WSHttpBinding_IService" > closeTimeout="00:01:00" > openTimeout="00:01:00" receiveTimeout="00:10:00" > sendTimeout="00:01:00" > bypassProxyOnLocal="false" transactionFlow="false" > hostNameComparisonMode="StrongWildcard" > maxBufferPoolSize="524288" > maxReceivedMessageSize="65536" > messageEncoding="Text" textEncoding="utf-8" > useDefaultWebProxy="true" > allowCookies="false"> > <readerQuotas maxDepth="32" > maxStringContentLength="8192" maxArrayLength="16384" > maxBytesPerRead="4096" > maxNameTableCharCount="16384" /> > <reliableSession ordered="true" > inactivityTimeout="00:10:00" > enabled="false" /> > <security mode="Message"> > <transport clientCredentialType="Windows" > proxyCredentialType="None" > realm="" /> > <message clientCredentialType="Windows" > negotiateServiceCredential="true" > algorithmSuite="Default" > establishSecurityContext="true" /> > </security> > </binding> > </wsHttpBinding> > </bindings> > <client> > <endpoint address="http://localhost:2000/SampleService" > binding="wsHttpBinding" > bindingConfiguration="WSHttpBinding_IService" > contract="SampleClient.ServiceReference.IService" > name="WSHttpBinding_IService"> > </endpoint> > </client> > </system.serviceModel> > > NOW , the question is when the security mode is " Message " , what is > the reason behind having transport tags and configuring it to > windows . > > could anybody throw some light on it. > > Thanks in Advance

04-02-2008

If no domain is available (you are in a workgroup) then the client can be
set to authenticate via NTLM instead of kerberos. For kerberos the client
must have the target name (Servie Principal Name) set or the UPN (User
Principal Name). If NTLM, the client can have an empty servicePrincipalName.
Generate the client proxy and look at the generated configuration. Change it
where needed, see below.

Kerberos:
<client>
<endpoint ...>
<identity ...>
<servicePrincipalName value="http/foo.bar.com">
or
<userPrincipalName value="hello@xxxxxx">

NTLM:
<client>
<endpoint ...>
<identity ...>
<servicePrincipalName>

Tiago Halm

"DEE" <tsdeepak@xxxxxx> wrote in message
news:d97b4094-ed0c-45ef-90df-0999b93767ca@xxxxxx

	Quote:
	> HI There, > > my scenerio: > > Client : winform client , the client should prompt a LOGIN form > > service : WCF with WSHTTPBINDING ( i am planning to use "message" > Security mode, with windows as client credentials) > > Deployment scenerio : > > 1. only users with windows account are authenticated. > 2. may or may not have domain controllers (all m/c may be in > workgroup) > > given the above , i am slightly confussed on how to get a common > config settings for point 2. > > > > > Could anybody suggest . > > Thanks in Advance

04-03-2008

Hi Tiago Halm,

Thanks for your response .

i have one more question though :

if am using security mode as "Message" , then does kerberos or NTLM
come into picture . as per my knowledge

" kerberos / NTLM is used only during transport autentication " is
this statement correct ?

"kerberos/NTLM is used when windows autenication is in place
irrespective of security mode used " is this statement correct ?

when "Message" security mode is used with clientcredentails configured
to "Windows" , does this use kerberos/ntlm under the hood

Thanks in Advance

Regards
DEE

04-03-2008

Kerberos and NTLM can both be sent by the transport protocol (HTTP) or
SOAP.

	Quote:
	> " kerberos / NTLM is used only during transport autentication " is > this statement correct ?

No

	Quote:
	> "kerberos/NTLM is used when windows autenication is in place > irrespective of security mode used " is this statement correct ?

If the client credentials are set to Windows, then yes.

	Quote:
	> when "Message" security mode is used with clientcredentails configured > to "Windows" , does this use kerberos/ntlm under the hood

Yes it does.

Tiago Halm

On Apr 3, 7:54*am, DEE <tsdee...@xxxxxx> wrote:

	Quote:
	> HiTiago Halm, > > Thanks for your response . > > i have one more question though : > > if am using security mode as "Message" , then does kerberos or NTLM > come into picture . as per my knowledge > > " kerberos / NTLM is used only during transport autentication " is > this statement correct ? > > "kerberos/NTLM is used when windows autenication is in place > irrespective of security mode used " is this statement correct ? > > when "Message" security mode is used with clientcredentails configured > to "Windows" , does this use kerberos/ntlm under the hood > > Thanks in Advance > > Regards > DEE

04-03-2008

Hi Tiago Halm,

Thanks for the response and your time . it was really helpfull.

Regards
dee

04-02-2008	#1 (permalink)
DEE Guest Posts: n/a	Message Security usage Hi There, I have a scenario where in , i need to use wsHttpBinding binding , so the default is message security and client credential type is Windows . my service app.config looks like this : <system.serviceModel> <bindings /> <behaviors> <serviceBehaviors> <behavior name="NewBehavior"> <serviceMetadata httpGetEnabled="true" /> </behavior> </serviceBehaviors> </behaviors> <services> <service behaviorConfiguration="NewBehavior" name="SampleService.Service"> <endpoint address="SampleService" binding="wsHttpBinding" bindingConfiguration="" contract="SampleService.IService" /> <endpoint address="Mex" binding="mexHttpBinding" bindingConfiguration="" contract="IMetadataExchange" /> <host> <baseAddresses> <add baseAddress="http://localhost:2000/" /> </baseAddresses> </host> </service> </services> </system.serviceModel> and now when i generate the proxy and clients app.config , app.config of client is shown below <system.serviceModel> <bindings> <wsHttpBinding> <binding name="WSHttpBinding_IService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" /> <security mode="Message"> <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" /> <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" /> </security> </binding> </wsHttpBinding> </bindings> <client> <endpoint address="http://localhost:2000/SampleService" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService" contract="SampleClient.ServiceReference.IService" name="WSHttpBinding_IService"> </endpoint> </client> </system.serviceModel> NOW , the question is when the security mode is " Message " , what is the reason behind having transport tags and configuring it to windows . could anybody throw some light on it. Thanks in Advance
DEE Guest Posts: n/a

04-02-2008	#2 (permalink)
DEE Guest Posts: n/a	Security Advice HI There, my scenerio: Client : winform client , the client should prompt a LOGIN form service : WCF with WSHTTPBINDING ( i am planning to use "message" Security mode, with windows as client credentials) Deployment scenerio : 1. only users with windows account are authenticated. 2. may or may not have domain controllers (all m/c may be in workgroup) given the above , i am slightly confussed on how to get a common config settings for point 2. Could anybody suggest . Thanks in Advance
DEE Guest Posts: n/a

04-03-2008	#5 (permalink)
DEE Guest Posts: n/a	Re: Message Security usage Hi Tiago Halm, Thanks for your response . i have one more question though : if am using security mode as "Message" , then does kerberos or NTLM come into picture . as per my knowledge " kerberos / NTLM is used only during transport autentication " is this statement correct ? "kerberos/NTLM is used when windows autenication is in place irrespective of security mode used " is this statement correct ? when "Message" security mode is used with clientcredentails configured to "Windows" , does this use kerberos/ntlm under the hood Thanks in Advance Regards DEE
DEE Guest Posts: n/a

04-03-2008	#7 (permalink)
DEE Guest Posts: n/a	Re: Message Security usage Hi Tiago Halm, Thanks for the response and your time . it was really helpfull. Regards dee
DEE Guest Posts: n/a

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode