Submit My Question - Recent Questions - Recent Answer
Msdn Tech >> Software Development for Windows Vista >> Windows CardSpace (InfoCard)

How to run STS with a Kerberos Auth.?

Hi,

Currently I am experimenting a CardSpace demo with Managed Card and STS. I've downloaded the Sample STS and built STS service with U/P, Smartcard, Self-issued Auth. All of them works fineSmile.
According to the introduction of Cardspace, kerberos can also be used to auth against STS. But I have no idea about how to use it with Cardspace. What shall i do to use kerberos within CardSpace? Can anyone tell me the whole steps to enable kerberos with STS?
Any answer is appriciated!!

[575 byte] By [XuanChen] at [2008-1-10]
«« URGENT HELP REQUIRED : Not able to deserialze an object?
»» How to do data base testing in MOSS 2007.
# 1

1. Creating card for Kerberos scenario:

The card to be created needs to have a kerberos credential like

Code Snippet
<wsid:UserCredential>
<wsid:KerberosV5Credential />
</wsid:UserCredential>

In terms of the sample STS, the Card -> Type parameter in the card creation ini file has to be KerberosAuth

2. STS hosting:

Due to the nature of Kerberos, the STS must register its service principal name (SPN) under the account in the Active Directory directory service that the service is running under. By default, Active Directory registers the network basic input/output system (NetBIOS) computer name. Active Directory also permits the Network Service or the Local System account to use Kerb.

For simplicity sake, you can run the STS as local system. Also, the STS must expose its endpoint identity as the hosting machine's COMPUTERNAME (endpoint identity is specified in the MEX response)

In terms of the sample STS, the binding should be something like

Code Snippet


<customBinding>
<binding name="StsBinding">
<useManagedPresentation />
<security authenticationMode="Kerberos" keyEntropyMode="ServerEntropy"></security>
<httpTransport />
</binding>
</customBinding>

Also, you might still need to configure some certificate for the STS to use for encrypting the token for RP.

On XP, you can use the scheduler to create a command window to run as system like this:

Code Snippet

at 18:00 /interactive cmd

rakeshb at 2007-10-3 > top of Msdn Tech,Software Development for Windows Vista,Windows CardSpace (InfoCard)...
# 2
rakeshb, thank you very much for your reply.

To your point 1. Creating card for Kerberos scenario:

I've actually tried to create a managed card of type KerberosAuth with the CardWriter. I changed the Issuer part as followed:

Code Snippet

[Issuer]

Name=Fabrikam Auto Group
Address=http://www.fabrikam.com:7000/sample/trust/Kerberosauth/sts
MexAddress=https://www.fabrikam.com:7001/sample/trust/Kerberosauth/mex
PrivacyPolicy=http://www.fabrikam.com/PrivacyPolicy.xml
; certificate should be either a STORELOCATION/STORE/Subject name
; or
; c:\path\to\cert.pfx -- in which case you also need a CertificatePassword=
Certificate=LOCALMACHINE/MY/www.fabrikam.com

;CertificatePassword=foo


I changed the Address and MexAddress of the STS in order to deal with the KerberosAuth. So I think I must add the KerberosAuth service to STS extraly.

For the Credentials part, I don't know what shall I write for value and hint. So I just left it blank. Here is my code:

Code Snippet

[Credentials]

; if the Auth type is UserNamePassword the value is the Username
; if the Auth type is SmartCard the value is the Certificate

; Path(Localmachine/my/www.fabrikam.com), hash, filename (in which case you may need

; certificatepassword=)
; if the Auth type is SelfIssuedAut the value is the PPID
; value=

; Hint=Enter your username and password



After that all, I created the Managed Card. But when I tried to install it to CardSpace, I found that the Card was still a "U/P backed" Card and CardSpace told me that a Card with the same version exists already(I've installed a Card with Username/Password before) and asked me shall I replace it with the new card.

How can I create a REAL KerberosAuth managed card? Shall I changed the source code of the CardWriter to do that?

To point 2 : STS hosting

I've already added your "binding" code to the app.config. I'll firstly try to config a Kerberos domain and then try to bind it to STS.

If anyone want to do the same thing with Kerberos as me, we can discuss it in this thread.

XuanChen at 2007-10-3 > top of Msdn Tech,Software Development for Windows Vista,Windows CardSpace (InfoCard)...
# 3
One more question:

I am using Windows XP. Before I bind Kerberos with STS, must I build a Active Directory domain which uses Kerberos as auth method? As far as I know, win xp can not be used as Domain Controller. Is there any other way to experiment Kerberos with STS without building a whole active directory domain with Kerberos?

Thanks for all the help!!

XuanChen at 2007-10-3 > top of Msdn Tech,Software Development for Windows Vista,Windows CardSpace (InfoCard)...
# 4
Now I have successfully created a Kerberos Managed Card. Here is my .ini file code:

Code Snippet

[CARD]
; type is one of UserNamePassword,KerberosAuth,SelfIssuedAuth,SmartCard,
TYPE=KerberosAuth

[Details]
Name=My Card (Kerberos backed)
ID=http://www.fabrikam.com/card/kerberos/randomnnumber123
version=1
image=images\fabrikam.jpg

[Issuer]
Name=Fabrikam Auto Group
Address=http://www.fabrikam.com:7000/sample/trust/Kerberos/sts
MexAddress=https://www.fabrikam.com:7001/sample/trust/Kerberos/mex
PrivacyPolicy=http://www.fabrikam.com/PrivacyPolicy.xml
; certificate should be either a STORELOCATION/STORE/Subject name
; or
; c:\path\to\cert.pfx -- in which case you also need a CertificatePassword=
Certificate=LOCALMACHINE/MY/www.fabrikam.com
;CertificatePassword=foo

[Claims]
; add claims required for card. standard (self issued) are listed below.
; keynames are not important (just don't duplicate them)
1=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
2=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
3=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
;3=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress
;4=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
;5=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
;6=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode
;7=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country
;8=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone
;9=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
;10=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
;11=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
;12=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender
13=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
;4=http://my-uri.com/test

[http://my-uri.com/test]
display=My Super Claim
description=A claim for all to see

[TokenTypes]
; add token types.
; keynames are not important (just don't duplicate them)
1=urn:oasis:names:tc:SAML:1.0:assertion
;2=http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1

[Token Details]
RequiresAppliesTo=false

[Credentials]
; if the Auth type is UserNamePassword the value is the Username
; if the Auth type is SmartCard the value is the Certificate Path(Localmachine/my/www.fabrikam.com), hash, filename (in which case you may need certificatepassword=)
; if the Auth type is SelfIssuedAut the value is the PPID
; value=
; Hint=Enter your username and password


But I still don't know what shall I write for "value" and "Hint" in the "Credentials" part. I can't find any infos about using Kerberos with STS. So please please help me. Any kind of help will be deeply apriciated!!!!
XuanChen at 2007-10-3 > top of Msdn Tech,Software Development for Windows Vista,Windows CardSpace (InfoCard)...
# 5

The Credentials section is to be left blank for Kerberos.

rakeshb at 2007-10-3 > top of Msdn Tech,Software Development for Windows Vista,Windows CardSpace (InfoCard)...
# 6

For hosting, if you have a machine which is domain joined, you can use it readily by hosting the STS using the SYSTEM account as I mentioned earlier.

Cardspace tries to use the credentials of the logged on user for authenticating to the STS; it will not prompt for any credentials.

Thanks,

Rakesh

rakeshb at 2007-10-3 > top of Msdn Tech,Software Development for Windows Vista,Windows CardSpace (InfoCard)...
# 7

Thanks for your reply, Rakesh!!

After my understanding,

  1. Both of the STS server and Cardspace user must firstly join a domain where the Active Directory directory service is available and Kerberos is used for Auth.
  2. STS must register its service principal name (SPN) under the account in the Active Directory directory service. That is something like this: STS_COMPUTERNAME/STS_USERNAME.
  3. STS must expose its endpoint identity as the hosting machine's COMPUTERNAME. I don't quite understand this point. Does here the "endpoint identity" mean the SPN of the STS server? How can I expose the "endpoint identity"? Do I need to change the .ini file of the Card, i.e. the ISSUER ADDRESS and the ISSUER MEXADDRESS, which are "Address=http://www.fabrikam.com:7000/sample/trust/kerberos/sts
    MexAddress=https://www.fabrikam.com:7001/sample/trust/kerberos/mex " in my sample right now?
  4. anything else?

Are the steps above correct?

Another question is: Because I only have one Windows XP Computer right now, is that possible to configure all of that(I mean the Domain with Active Directory directory service, STS server and Cardspace user) in one computer?

Thanks

Xuan

XuanChen at 2007-10-3 > top of Msdn Tech,Software Development for Windows Vista,Windows CardSpace (InfoCard)...
# 8

For (2), if you are running the STS under a separate account, that account's SPN must be registered in AD. By default, the local machine's name is automatically registered in AD. Hence I was suggesting using that for sample purpose.

For (3), my intent was not related to the CRD file. It was related to the WSDL/policy that gets returned during MEX with the STS. The policy returned in mex should have the SPN identity specified in the endpoint address for the sts.

You won't be able to run the sample on non-domain joined XP (unless you use virtual machines for server OSes)

rakeshb at 2007-10-3 > top of Msdn Tech,Software Development for Windows Vista,Windows CardSpace (InfoCard)...
# 9

Thanks rakesh!!

After some days work, I've built a AD domain finally. Now the STS is run under the SYSTEM account and the client can communicate with it successfully using the other three methods: self-issued Card, Smartcard and U/P.

Since I don't need to register the SPN of STS in AD any more after the STS is run under the SYSTEM account, it seems like what I still need to do now is to add the SPN of STS to the endpoint address in the returned policy in MEX. Do u have any idea of which part of the Simple STS code should I modify in order to add the endpoint address?

Thanks a lot. I am very grateful for your help!!

xuan

XuanChen at 2007-10-3 > top of Msdn Tech,Software Development for Windows Vista,Windows CardSpace (InfoCard)...
# 10

One option is to add the following in the app.config for your Kerberos services' endpoint (services->service->endpoint->identity)

Code Block

<service behaviorConfiguration=".." name="KerbSTS">

<endpoint address=".."

binding=".."

bindingConfiguration=".."

contract="..">

<identity>

<servicePrincipalName value="host/MACHINE_NAME" />

</identity>

</endpoint>

</service>

Make sure that the machines you try to run the Client and STS are both domain joined. (you may use same machine for both client/sts)

rakeshb at 2007-10-3 > top of Msdn Tech,Software Development for Windows Vista,Windows CardSpace (InfoCard)...
Software Development for Windows Vista
Windows CardSpace (InfoCard)

Software Development for Windows Vista Hot Topic

Software Development for Windows Vista New Topic

Software Development for Windows Vista

Java / MSDN / Linux Tech / PHP Tech / MSDN DotNet / MSDN TECH / Health Library / Programmers Tech / visual basic Tech / Developer Tech / Ipod faqs / Msdn China Tech

Site Classified