Share via


Kerberos Ticket

Web Services Enhancements for Microsoft .NET (WSE) supports signing and encrypting SOAP messages by using Kerberos version 5 protocol security tokens. Kerberos security tokens are binary security tokens. This binary data is a service ticket as described in RFC 1510, " HYPERLINK "http://www.ietf.org/rfc/rfc1510.txt" The Kerberos Network Authentication Service (V5)."

The Kerberos protocol is used to mutually authenticate users and services on an open and unsecured network. It allows services to correctly identify the user of a Kerberos ticket without having to authenticate the user at the service. It does this by using shared secret keys.

The Kerberos protocol uses shared secret keys to encrypt and sign users' credentials. A client is authenticated by a Kerberos Key Distribution Center (KDC). After that authentication, the user can request a service ticket to access a specific service on the network. This ticket includes the encrypted authenticated identity of the user.

Kerberos tokens work on computers with Windows Server 2003 or later or Windows XP with Service Pack 1 or later installed. Windows 2000 is not a supported operating system for this feature. When you are running your application on Windows XP, the ASPNET account requires a high-security permission. There are two ways to grant this high-security permission to the ASPNET account:

  1. Grant the ASPNET account the Act as Part of the Operating System permission by using the Local Security Settings administrative tool, and then restart the system.
  2. Set the userName attribute of the <processModel> element in the Machine.config file to "system", and then reset IIS.

To use the Kerberos feature of WSE, your application and the service you access must be running on computers joined to a Kerberos realm. To use Kerberos tickets with clients that are not part of the service's Kerberos realm, you must create a security token service to issue service tickets. For information about creating a security token service that issues custom security tokens, see How to: Create a Class Representing a Custom Security Token Service.

Note

You can also sign or encrypt a message with a KerberosToken security token by using send-side policy. With send-side policy, a SOAP sender creates an instance of a KerberosToken security token and places it in the PolicyEnforcementSecurityTokenCachestore. For information on how to use send-side policy, see Configuring a Web Service's Policy.

In This Section