Share via


KerberosSigningMethod Class

 

Defines a way for the Federation Service to digitally sign an AD FS token for an application (represented in the trust policy by a TrustingApplication object). Such tokens are signed using symmetric keys which are securely shared using the Kerberos security protocol of a Windows forest. A KerberosSigningMethod defined for a particular application overrides the global default X509SigningMethod defined in a Federation Service’s web.config file. Because the KerberosSigningMethod utilizes a cached symmetric session key, it may provide performance benefits over the default asymmetric-key-based signing method.

Namespace:   System.Web.Security.SingleSignOn
Assembly:  System.Web.Security.SingleSignOn (in System.Web.Security.SingleSignOn.dll)

Inheritance Hierarchy

System.Object
  System.Web.Security.SingleSignOn.SigningMethod
    System.Web.Security.SingleSignOn.KerberosSigningMethod

Syntax

[ComVisibleAttribute(true)]
public sealed class KerberosSigningMethod : SigningMethod
[ComVisibleAttribute(true)]
public ref class KerberosSigningMethod sealed : SigningMethod
[<Sealed>]
[<ComVisibleAttribute(true)>]
type KerberosSigningMethod = 
    class
        inherit SigningMethod
    end
<ComVisibleAttribute(True)>
Public NotInheritable Class KerberosSigningMethod
    Inherits SigningMethod

Constructors

Name Description
System_CAPS_pubmethod KerberosSigningMethod()

Initializes a new instance of the KerberosSigningMethod class.

System_CAPS_pubmethod KerberosSigningMethod(String)

Initializes a new instance of the KerberosSigningMethod class.

Properties

Name Description
System_CAPS_pubproperty TargetName

Gets or sets the ServicePrincipalName (SPN) of the target server resource partner or application.

Methods

Name Description
System_CAPS_pubmethod Equals(Object)

(Inherited from Object.)

System_CAPS_pubmethod GetHashCode()

(Inherited from Object.)

System_CAPS_pubmethod GetType()

(Inherited from Object.)

System_CAPS_pubmethod ToString()

(Inherited from Object.)

Remarks

The KerberosSigningMethod class is part of the Federation Service’s trust policy configuration.

In order for the KerberosSigningMethod object to be used, the target application must be running as a Windows domain service account from a domain in the same forest as the Federation Service’s domain service account or from a forest which has a cross-forest trust with the Federation Service’s forest. Generally, Kerberos authentication does not work across an external trust.

The TargetName property should be set to the ServicePrincipalName (SPN) of the targeted application. In the case of a claims-based application, the SPN should be registered on the domain service account under which the target’s IIS application pool is configured to run. In the case of a Windows NT token-based application, the SPN should be registered on the domain service account under which the target’s AD FS Web Agent Authentication Service (IFSSVC) is configured to run.

Thread Safety

Any public static ( Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

See Also

System.Web.Security.SingleSignOn Namespace

Return to top