How to: Decrypt a SOAP Message Encrypted Using a Kerberos Ticket

Decrypting a SOAP message that was encrypted using a Kerberos service ticket requires that the Web service is WSE-enabled and a policy that requires that a KerberosToken security token encrypted the SOAP request.

To decrypt SOAP messages encrypted using a Kerberos service ticket

  1. In the Web.config file for the Web application that is hosting the Web service, include an <soapServerProtocolFactory> Element element in the <webServices> section.

    When the SOAP message recipient is a Web service client, this configuration entry is not required. Instead, the base class that the proxy class derives from must be changed to derive from the WebServicesClientProtocol.

    The following code example shows the configuration entry that must be placed in the Web.config file for WSE to run with a Web service. The type attribute of the <soapServerProtocolFactory> Element element must be on one line, even though the following sample shows it split across multiple lines for readability.

    <configuration>
       <system.web>
            <webServices>
                <soapServerProtocolFactory type="Microsoft.Web.Services3.WseProtocolFactory, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> 
            </webServices>
        </system.web>
       </system.web>
    </configuration>
    
  2. Apply a policy to the Web service that requires SOAP messages to be encrypted by a KerberosToken security token.

    1. Add a policy to the Web service's policy file that requires SOAP messages to be encrypted using a KerberosToken security token.
      The <kerberosSecurity> Element turnkey assertion require that SOAP requests are encrypted by a KerberosToken security token.

      Note

      When a policy is not explicitly specified for a Web service that is WSE-enabled, SOAP messages are processed using a pipeline that follows the semantics of the WSE 2.0 pipeline. The WSE 2.0 pipeline attempts to decrypt SOAP messages that are encrypted by an KerberosToken security token.

      The following code example demonstrates how to secure a SOAP message exchange using a KerberosToken security token. The code example defines a policy assertion named ServicePolicy that specifies that a KerberosToken security token is used to authenticate the client, digitally sign the SOAP message, and encrypt the <body> element of the SOAP message. The keys used to generate the digital signature and encrypt the <body> element are not the same keys, but rather are derived from the same key.

      <policies>
        <extensions>
          <extension name="kerberosSecurity"
                     type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
          <extension name="kerberos"
                     type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
          <extension name="requireActionHeader"
                     type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        </extensions>
        <policy name="ServicePolicy">
          <kerberosSecurity establishSecurityContext="false" signatureConfirmation="false" protectionOrder="SignBeforeEncrypting" deriveKeys="true">
            <token>
              <kerberos targetPrincipal="host/contoso4@contoso.com" impersonationLevel="Identification" />
            </token>
            <protection>
              <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
              <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
              <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
            </protection>
          </kerberosSecurity>
          <requireActionHeader />
        </policy>
      </policies>
      
    2. Apply a PolicyAttribute attribute to the Web service.
      The PolicyAttribute attribute can be applied to the class that is implementing the Web service methods. This applies the policy to all Web service methods (operations) within that class.
      The following code example specifies that all Web service methods within the Service class adhere to the ServicePolicy policy.

      <WebService(Namespace:="https://www.contoso.com/")> _
      <WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _
      <Policy("ServicePolicy")> _
      Public Class Service
          Inherits System.Web.Services.WebService
      
      [WebService(Namespace = "https://www.contoso.com/")]
      [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
      [Policy("ServicePolicy")] 
      public class Service : System.Web.Services.WebService
      {
      

See Also

Tasks

How to: Encrypt a SOAP Message By Using a Kerberos Ticket

Reference

KerberosToken

Other Resources

Kerberos Ticket
Brokered Authentication – Kerberos
Kerberos Technical Supplement for Windows