Mark Fussell's WebLog : WSE

WSE 3.0 - Kerberos, Secure Conversation and Stateful SCTs

mfussell — Wed, 08 Mar 2006 09:08:00 GMT

I thought that I would publish some discussion threads on WSE issues that I have had recently that highlight some common questions. A recent discussion question was this;

Question: "I need advice with WSE 3.0 and implementing a web service that requires a Kerberos token. It seems that my simple web service and Windows client should be straight-forward but I’m not able to get past the error “Security requirements are not satisfied because the security header is not present in the incoming message. System.Exception {System.InvalidOperationException}

Here is the client policy file. The server one is nearly identical:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<extensions>
    <extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="kerberos" type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="KerberosClient">
    <kerberosSecurity establishSecurityContext="true" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
      <token>
        <kerberos targetPrincipal="host/MyServer" impersonationLevel="Impersonation" />
      </token>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </kerberosSecurity>
    <requireActionHeader />
</policy>
</policies>"

Answer: It turns our that there are times when secure conversation and Kerberos can clash. When establishSecurityContext is set to true in the policy files (see above), then WSE 3.0 tries to acquire a Security Content Token (SCT) from the service to establish a secure conversation. The Request Security Context (RST) message sent from the client to acquire the SCT using the policy above uses a KerberosToken to protect the message so that only the service can decrypt the message. By default, WSE 3.0 generates stateful SCT’s (see Stateful Session section in this link) which means that the state of the SCT is carried with the SCT itself as a cookie value in the message. This state contains the server's KerberosToken inside of it, which you can see by looking for the <cookie> element in the SCT.

Since Kerberos Tokens can *only* ever be used once, using this stateful SCT doesn’t work. This is because every time the client makes a request to the service, it protects the message with that SCT, which carries the state with it. But because this state has a "use once" KerberosToken, the request fails at the server.

There are two options to work around this:
1) Don’t use SCT’s at all and hence do not use Secure Conversation. You can do this by setting establishSecurityContext to false in the policy file at both the client and the service.
2) Use SCT’s (i.e. establishSecurityContext set to true) but turn off stateful SCT by setting statefulSecurityContextToken to false inside <microsoft.web.services3> of web.config. e.g.

</tokenIssuer>

This can also be done on the Message tab in the WSE Configuration Settings available from the VS2005 Solution Explorer context menu.

1) Has the disadvantage of not taking advantage of the performance improvement of using secure conversation when the number of messages is >2. However you may only send a single message and therefore not require secure conversation, which is fine.

2) Is a better option as it still allow secure conversation (where messages are >2) and works because the SCT state is no carried with the message and simply cached on the server side. The one difference is that you can no longer use secure conversation in web farms, but you can still use Kerberos on web farms at a slight performance decrease. If you really need the performance improvement in a web farm scenario using Kerberos Token using secure conversation, then you need to maintain your own state on the server i.e. implement your own SCT cache using something like a SQL database as described in Managing Security Context Tokens in a Web Farm.

I will post more common discussion threads like this over the next few months. It is also worth sending questions to the Web Services Forum which we monitor on a regular basis

WSE now enabled on the MSDN Product Feedback Center

mfussell — Wed, 06 Apr 2005 10:31:00 GMT

Plenty has been written in blogs about the MSDN Product Feedback Center which enables you to report issues in a product directly to the respective product team. Now Web Service Enhancements (WSE) in its multiple forms has been added to the list. If you want to get the attention of the WSE product team on an issue or a suggestion to improve the product there is nothing better than through this feedback center. There is even a category for the forthcoming WSE 3.0 Beta. Use it to its full force.

WSE 2.0 SP3 Released to MSDN

mfussell — Mon, 28 Feb 2005 22:50:00 GMT

WSE 2.0 SP3 has just been released on MSDN here. There are no additional new features just stress, perf and security fixes plus some other less significant fixes. Typically just the last two SPs are left on the download site, but we have decided to keep WSE 2.0 SP1 available for another 6 months to ease transistion to later versions. Although not stated in the readme, SP3 does not have to have .NET 1.1 installed, ie. it will install with just .NET v2.0 on the machine, but this is unsupported given that .NET v2.0 is months away from shipping.

WSE 2.0 Hands on Labs (HOLs) now hosted in virtual labs on MSDN

mfussell — Thu, 27 Jan 2005 08:55:00 GMT

I have spent a fair amount of time with the WSE HOLs in the last 2 months, fixing them up for the SP2 release and ensuring that they cover the essential features of WSE 2.0. These were originally written by Aaron and he did an excellent job creating them. They are without doubt the best resource for getting up to speed with understanding WSE 2.0 quickly.

I have been working with the Visual Studio Hosted team over the last month to get these available online on MSDN. Now through the magic of virtual server you can access these WSE HOLs without having to install them on your machine. To access them you need to create a login account with a username and password (its free) and then you have access to various developer HOLs ranging from ASP.NET to Smart Clients. Of course the WSE labs are the hot new ones!

These are the four WSE HOL labs which can be found under the Web Services Section

Web Services Enhancements 2.0 - Security and Policy (C#)

Web Services Enhancements 2.0 - Messaging (C#)

Web Services Enhancements 2.0 - Security and Policy (VB)

Web Services Enhancements 2.0 - Messaging (VB .NET)

Enjoy.

MTOM goes to Rec with W3C

mfussell — Thu, 27 Jan 2005 08:21:00 GMT

The MTOM spec has been made official with the W3C by moving to REC status. This is good news for WSE 3.0 as it ensures that a finalized standard can now be implemented and used to develop interoperable solutions to transmit binary data as part of a SOAP message. The benefit of MTOM is that it uses an XInclude-like approach with a element in the message body to represent data in the MIME attachment. It is just like an inclusion mechanism. MTOM is sometimes referred to as being XML Infoset friendly, which simply means that as a result of having this element to represent a part from the attachment other WS-* specs can be easily composed with it, typically encryption and signing. DIME for attachments is now going to start disappear as a result of this spec approval.

System.Xml V2 Decisions

mfussell — Thu, 16 Dec 2004 09:20:00 GMT

Arpan has posted on some of the reasons for XmlDocument being the main XML store in System.Xml and the difficulty of supporting standards that are not yet at a recommendation status. Ironically I now find myself in the alternate universe to this where WS-* specifications seem to pop in and out of existence on a daily basis, having to incorporate these into a fast changing project that is laying the path to Indigo. I have been working on WSE 3.0 planning this week and hope to post some more details of the release in the coming weeks. Currently these are the WSE 3.0 themes that I am using to drive the project, which sets the precedence for the features.

VS2005 (Whidbey) Integration
“WSE 3.0 and VS2005 together provide the platform to build advanced web service implementations.”
Indigo Interoperability and Strategic Direction
“Building solutions with WSE 3.0 and VS2005 engages you directly on the path to Indigo.”
Servicing and Customer Support
“WSE 3.0 continues to maintain focus on customer needs, WS-* standards support and performance enabling you to concentrate on your business needs and less on infrastructure.”

As always you have to pick from a huge pile of features and I wish that the team was three times as big. Fortunately other constraints such as being backwardly compatibile with previous releases are not necessary with WSE and so this makes it easier to incorporate new features and remove redundant ones, which creates a very dynamic project.

WSE 2.0 SP2 released to MSDN

mfussell — Fri, 03 Dec 2004 18:28:00 GMT

WSE 2.0 SP2 final bits have just been released to the WSE MSDN site. Here are the links.

Issues, comments, feedback can be sent to wsefeed@microsoft.com

WSE 2.0 SP2 Pre-release Announcement

mfussell — Tue, 23 Nov 2004 02:08:00 GMT

Hervey has posted the details of the pre-release on his blog. The download links are:

WSE 3.0 Feature List

mfussell — Fri, 12 Nov 2004 07:51:00 GMT

Aaron has kick started a list of what he believes are important features in future versions of WSE. I would always add performance to this list, ahead of new features, since to me this is crucial for widespread adoption.