Share via

<kerberos> Element

  • Article

Specifies details about a KerberosToken security token.

<policies> Element
  <policy> Element (Policy)
    <kerberosSecurity> Element
      <token> Element

<kerberos impersonationLevel="level of impersonation supported."
                    targetPrincipal="target principal name" />

Microsoft.Web.Services3.Design.KerberosTokenProvider

Attributes and Elements

Attributes

Attribute Description

impersonationLevel

Required ImpersonationLevel attribute. Specifies how a recipient of the KerberosToken security token can use the identity that is associated with the security token.

targetPrincipal

Required attribute. Specifies the target principal name. The format of the target principal name is host/machinename@realm.

Child Elements

None.

Parent Elements

Element Description

<token> Element

Specifies the details that are needed to create an instance of a security token.

Remarks

The <kerberos> security token provider can be used only with the <kerberosSecurity> Element turnkey policy assertion. To use the <kerberosSecurity> policy assertion, the kerberosSecurity and the kerberos policy extensions must be added to the policy file. To add the kerberosSecurity policy extension, add an <extension> Element element with the name attribute set to kerberosSecurity and the type attribute set to Microsoft.Web.Services3.Design.KerberosAssertion. To add the kerberos policy extension, add an <extension> Element element with the name attribute set to kerberos and the type attribute set to Microsoft.Web.Services3.Design.KerberosTokenProvider.

Example

The following code example demonstrates how to secure an application using a KerberosToken security token. The code example defines a policy assertion named kerberosAuthenticationKerberosProtection that specifies that a KerberosToken security token is used to authenticate the client, digitally sign the SOAP message, and encrypt the <body> element of the SOAP message. The keys used to generate the digital signature and encrypt the <body> element are not the same keys, but rather derived from the key for the KerberosToken security token.

Note

This code example is designed to demonstrate WSE features and is not intended for production use.

<policies>
  <extensions>
    <extension name="kerberosSecurity"
               type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="kerberos"
               type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="kerberosAuthenticationKerberosProtection">
    <kerberosSecurity establishSecurityContext="false" signatureConfirmation="false" protectionOrder="SignBeforeEncrypting" deriveKeys="true">
      <token>
        <kerberos targetPrincipal="host/contoso4@contoso.com" impersonationLevel="Identification" />
      </token>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </kerberosSecurity>
    <requireActionHeader />
  </policy>
</policies>

See Also

Reference

<kerberosSecurity> Element
<token> Element
ImpersonationLevel
KerberosToken