Kerberos Ticket
Web Services Enhancements for Microsoft .NET (WSE) supports signing and encrypting SOAP messages by using Kerberos version 5 protocol security tokens. Kerberos security tokens are binary security tokens. This binary data is a service ticket as described in RFC 1510, "The Kerberos Network Authentication Service (V5)."
The Kerberos protocol is used to mutually authenticate users and services on an open and unsecured network. It allows services to correctly identify the user of a Kerberos ticket without having to authenticate the user at the service. It does this by using shared secret keys.
The Kerberos protocol uses shared secret keys to encrypt and sign users' credentials. A client is authenticated by a Kerberos Key Distribution Center (KDC). After that authentication, the user can request a service ticket to access a specific service on the network. This ticket includes the encrypted authenticated identity of the user.
Kerberos tokens work on computers with Windows Server 2003 or later or Windows XP with Service Pack 1 or later installed. Windows 2000 is not a supported operating system for this feature. When you are running your application on Windows XP, the ASPNET account requires a high-security permission. There are two ways to grant this high-security permission to the ASPNET account:
- Grant the ASPNET account the Act as Part of the Operating System permission by using the Local Security Settings administrative tool, and then restart the system.
- Set the userName attribute of the <processModel> element in the Machine.config file to "system", and then reset IIS.
To use the Kerberos feature of WSE, your application and the service you access must be running on computers joined to a Kerberos realm. To use Kerberos tickets with clients that are not part of the service's Kerberos realm, you must create a security token service to issue service tickets. For information about creating a security token service that issues custom security tokens, see Establishing a Secure Conversation with Custom Security Tokens.
Note
You can also sign or encrypt a message with a KerberosToken security token by using policy and one of the Turnkey Security Assertions. For more information about using policy to secure the SOAP message, see How to: Secure a Web Service Using a Policy File.
In This Section
- How to: Sign a SOAP Message By Using a Kerberos Ticket
Details how to use policy or code to digitally sign a SOAP message by using a Kerberos ticket.
- How to: Verify Digital Signatures of SOAP Messages Signed Using a Kerberos Ticket
Details how to have WSE verify digital signatures that use a Kerberos ticket and how to use policy or code to require that SOAP messages be digitally signed using a Kerberos ticket.
- How to: Encrypt a SOAP Message By Using a Kerberos Ticket
Details how to use policy and code to encrypt a SOAP message by using a Kerberos ticket.
- How to: Decrypt a SOAP Message Encrypted Using a Kerberos Ticket
Details how to have WSE decrypt SOAP message encrypted using a Kerberos ticket and how to use policy or code to require that SOAP messages be encrypted using a Kerberos ticket.
- How to: Authorize the Message Sender Based on a Kerberos Ticket
Details how to use policy or code to authorize access to a Web service based on a Kerberos security token included in a SOAP message.
- How to: Impersonate the Credentials Associated with a KerberosToken
Details how a SOAP message sender can specify that the credentials associated with a KerberosToken security token can be impersonated and how a SOAP message receiver can impersonate the credentials.
- How to: Configure an Application to Use Constrained Delegation
Details how to configure an application so that the credentials associated with a KerberosToken security token can be used for constrained delegation.
- How to: Use a KerberosToken in a Web Farm
Details how to configure an application so that SOAP messages can be secured using a KerberosToken in a Web farm.
See Also
Other Resources
Brokered Authentication – Kerberos
Kerberos Technical Supplement for Windows