KerberosSigningMethod Class
Defines a way for the Federation Service to digitally sign an AD FS token for an application (represented in the trust policy by a TrustingApplication object). Such tokens are signed using symmetric keys which are securely shared using the Kerberos security protocol of a Windows forest. A KerberosSigningMethod defined for a particular application overrides the global default X509SigningMethod defined in a Federation Service’s web.config file. Because the KerberosSigningMethod utilizes a cached symmetric session key, it may provide performance benefits over the default asymmetric-key-based signing method.
Namespace: System.Web.Security.SingleSignOn
Assembly: System.Web.Security.SingleSignOn (in System.Web.Security.SingleSignOn.dll)
Inheritance Hierarchy
System.Object
System.Web.Security.SingleSignOn.SigningMethod
System.Web.Security.SingleSignOn.KerberosSigningMethod
Syntax
[ComVisibleAttribute(true)]
public sealed class KerberosSigningMethod : SigningMethod
[ComVisibleAttribute(true)]
public ref class KerberosSigningMethod sealed : SigningMethod
[<Sealed>]
[<ComVisibleAttribute(true)>]
type KerberosSigningMethod =
class
inherit SigningMethod
end
<ComVisibleAttribute(True)>
Public NotInheritable Class KerberosSigningMethod
Inherits SigningMethod
Constructors
| Name | Description | |
|---|---|---|
.jpeg "System_CAPS_pubmethod") |
KerberosSigningMethod() | Initializes a new instance of the KerberosSigningMethod class. |
|
KerberosSigningMethod(String) | Initializes a new instance of the KerberosSigningMethod class. |
Properties
| Name | Description | |
|---|---|---|
.jpeg "System_CAPS_pubproperty") |
TargetName | Gets or sets the ServicePrincipalName (SPN) of the target server resource partner or application. |
Methods
| Name | Description | |
|---|---|---|
|
Equals(Object) | (Inherited from Object.) |
|
GetHashCode() | (Inherited from Object.) |
|
GetType() | (Inherited from Object.) |
|
ToString() | (Inherited from Object.) |
Remarks
The KerberosSigningMethod class is part of the Federation Service’s trust policy configuration.
In order for the KerberosSigningMethod object to be used, the target application must be running as a Windows domain service account from a domain in the same forest as the Federation Service’s domain service account or from a forest which has a cross-forest trust with the Federation Service’s forest. Generally, Kerberos authentication does not work across an external trust.
The TargetName property should be set to the ServicePrincipalName (SPN) of the targeted application. In the case of a claims-based application, the SPN should be registered on the domain service account under which the target’s IIS application pool is configured to run. In the case of a Windows NT token-based application, the SPN should be registered on the domain service account under which the target’s AD FS Web Agent Authentication Service (IFSSVC) is configured to run.
Thread Safety
Any public static ( Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
See Also
System.Web.Security.SingleSignOn Namespace
Return to top