How to: Encrypt a SOAP Message By Using a Kerberos Ticket

The following procedure details how to use a custom policy assertion to encrypt a SOAP message by using a Kerberos service ticket. The <kerberosSecurity> Element turnkey security assertion provides support for digitally signing and encrypting SOAP messages by using Kerberos tickets, so it is unnecessary to create a custom policy assertion unless additional functionality is needed.

ToTo use code to encrypt a SOAP message by using a Kerberos ticket

1. Open the Web service or client project in Visual Studio 2005.

Add references to the Microsoft.Web.Services3, System.Web.Services, and System.Security assemblies.

1. On the Project menu, click Add Reference.
2. Click the .NET tab, select Microsoft.Web.Services3.dll, and then click Select.
3. On the .NET tab, select System.Web.Services.dll, and then click Select.
4. On the .NET tab, select System.Security.dll, and then click Select.
5. Click OK.

1. Create a custom policy assertion.
   For more details about creating custom policy assertions, see How to: Create a Custom Policy Assertion that Secures SOAP Messages.

2. Override the SecureMessage method in the output SOAP filter for the client or the Web service.
   The following code example overrides the SecureMessage method for the client output SOAP filter.

   Public Overrides Sub SecureMessage(ByVal envelope As SoapEnvelope, ByVal security As Security)
   

   public override void SecureMessage(SoapEnvelope envelope, Security security)
   {
   

3. Add Imports or using directives to the top of the file that communicates with the Web service.

   1. At the top of the file, add the directives as shown in the following code example.

      Imports System
      Imports System.Collections.Generic
      Imports System.Text
      Imports System.Xml
      Imports System.Security.Cryptography.X509Certificates
      
      Imports Microsoft.Web.Services3
      Imports Microsoft.Web.Services3.Design
      Imports Microsoft.Web.Services3.Security
      Imports Microsoft.Web.Services3.Security.Tokens
      

      using System;
      using System.Collections.Generic;
      using System.Text;
      using System.Security.Cryptography.X509Certificates;
      
      using Microsoft.Web.Services3;
      using Microsoft.Web.Services3.Design;
      using Microsoft.Web.Services3.Security;
      using Microsoft.Web.Services3.Security.Tokens;
      

4. Add code to create a KerberosToken security token in the SecureMessage method.
   The hostname variable is the name of the computer hosting the target Web service, and the dnsDomainName variable is the Kerberos realm that the host is a member of. The Kerberos realm is needed only when the SOAP message sender resides in a different domain or realm then the target Web service.

   Dim kerbToken As KerberosToken = _
       New KerberosToken("host/" + hostname & _
       "@" + domainName)
   

   KerberosToken kerbToken = new KerberosToken("host/" + hostname +
       "@" + domainName);
   

5. Specify that the SOAP message must be encrypted by the Kerberos ticket.

   1. Create a new instance of the EncryptedData class by using the KerberosToken security token.

      Dim enc As New EncryptedData(kerbToken)
      

      EncryptedData enc = new EncryptedData(kerbToken);
      

   2. Add the encrypted data to the WS-Security SOAP header.

      security.Elements.Add(enc)
      

      security.Elements.Add(enc);
      

Example

The following code example creates a KerberosToken security token, and then encrypts a SOAP message by using the token.

Imports System
Imports System.Collections.Generic
Imports System.Text
Imports System.Xml
Imports System.Security.Cryptography.X509Certificates

Imports Microsoft.Web.Services3
Imports Microsoft.Web.Services3.Design
Imports Microsoft.Web.Services3.Security
Imports Microsoft.Web.Services3.Security.Tokens

    
    
    ...
    
    
            Public Overrides Sub SecureMessage(ByVal envelope As SoapEnvelope, ByVal security As Security)
            Dim kerbToken As KerberosToken = _
                New KerberosToken("host/" + hostname & _
                "@" + domainName)

            ' Encrypt the SOAP request by using the Kerberos ticket.
            Dim enc As New EncryptedData(kerbToken)
            security.Elements.Add(enc)
        End Sub

using System;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography.X509Certificates;

using Microsoft.Web.Services3;
using Microsoft.Web.Services3.Design;
using Microsoft.Web.Services3.Security;
using Microsoft.Web.Services3.Security.Tokens;

    
    
    ...
    
    
            public override void SecureMessage(SoapEnvelope envelope, Security security)
        {
            KerberosToken kerbToken = new KerberosToken("host/" + hostname +
                "@" + domainName);

            // Encrypt the SOAP request by using the Kerberos ticket.
            EncryptedData enc = new EncryptedData(kerbToken);
            security.Elements.Add(enc);
        }

See Also

Tasks

How to: Decrypt a SOAP Message Encrypted Using a Kerberos Ticket

Reference

<kerberosSecurity> Element
KerberosToken

Other Resources

Kerberos Ticket
Brokered Authentication – Kerberos
Kerberos Technical Supplement for Windows