Partager via


Kerberos Ticket

Web Services Enhancements for Microsoft .NET (WSE) supports signing and encrypting SOAP messages by using Kerberos version 5 protocol security tokens. Kerberos security tokens are binary security tokens. This binary data is a service ticket as described in RFC 1510, "The Kerberos Network Authentication Service (V5)."

The Kerberos protocol is used to mutually authenticate users and services on an open and unsecured network. It allows services to correctly identify the user of a Kerberos ticket without having to authenticate the user at the service. It does this by using shared secret keys.

The Kerberos protocol uses shared secret keys to encrypt and sign users' credentials. A client is authenticated by a Kerberos Key Distribution Center (KDC). After that authentication, the user can request a service ticket to access a specific service on the network. This ticket includes the encrypted authenticated identity of the user.

Kerberos tokens work on computers with Windows Server 2003 or later or Windows XP with Service Pack 1 or later installed. Windows 2000 is not a supported operating system for this feature. When you are running your application on Windows XP, the ASPNET account requires a high-security permission. There are two ways to grant this high-security permission to the ASPNET account:

  1. Grant the ASPNET account the Act as Part of the Operating System permission by using the Local Security Settings administrative tool, and then restart the system.
  2. Set the userName attribute of the <processModel> element in the Machine.config file to "system", and then reset IIS.

To use the Kerberos feature of WSE, your application and the service you access must be running on computers joined to a Kerberos realm. To use Kerberos tickets with clients that are not part of the service's Kerberos realm, you must create a security token service to issue service tickets. For information about creating a security token service that issues custom security tokens, see Establishing a Secure Conversation with Custom Security Tokens.

Note

You can also sign or encrypt a message with a KerberosToken security token by using policy and one of the Turnkey Security Assertions. For more information about using policy to secure the SOAP message, see How to: Secure a Web Service Using a Policy File.

In This Section

See Also

Other Resources

Brokered Authentication – Kerberos
Kerberos Technical Supplement for Windows