WWSAPI to WCF interop 9: secure conversation bootstrapped by Kerberos AP-REQ token

  • Article

In my post on WWSAPI federation support, I explained how to set up secure conversation on the WWSAPI client to work with a WCF server using WSFederationHttpBinding. In this post, I’ll show how to use secure conversation without federation. Secure conversation can be helpful in reducing the payload size. For example, when Kerberos AP-REQ token is used for authentication, the base64 encoded binary token alone is around 6KB in text UTF-8 encoding. Using secure conversation to negotiate a smaller security context token (SCT) can improve performance when there is frequent message exchange between client and server.

 

To use Kerberos AP-REQ in mixed security in WCF, we have to use custom binding. Here is the config section:

      <customBinding>

        <binding name="SCWithKerberos">

          <security authenticationMode="SecureConversation">

            <secureConversationBootstrap authenticationMode="KerberosOverTransport" />

          </security>

          <httpsTransport />

        </binding>

      </customBinding>

 

The corresponding WS_SECURITY_DESCRIPTION can be set up using the following code:

   // declare and initialize a default windows credential

    WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL defaultCredential = {

        {WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE}

    };

    // declare and initialize a kerberos APREQ message security binding

    WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING kerberosBinding = {

       {WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING_TYPE},

        WS_SUPPORTING_MESSAGE_SECURITY_USAGE,

        &defaultCredential.credential

    };

   

    // declare and initialize an SSL transport security binding

    WS_SSL_TRANSPORT_SECURITY_BINDING sslBinding = {

        {WS_SSL_TRANSPORT_SECURITY_BINDING_TYPE}

    };

   

    // declare and initialize the array of all security bindings

    WS_SECURITY_BINDING* bootstrapSecurityBindings[2] = {

        &sslBinding.binding,

        &kerberosBinding.binding

    };

 

    // declare and initialize the security description

    WS_SECURITY_DESCRIPTION bootstrapSecurityDescription = {

        bootstrapSecurityBindings,

        WsCountOf(bootstrapSecurityBindings)

    };

 

As described in my post on WWSAPI federation support, we then need to include the bootstrap WS_SECURITY_DESCRIPTION above into WS_SECURITY_CONTEXT_MESSAGE_SECURITY_BINDING.

    // declare and initialize a secure conversation message security binding

    WS_SECURITY_CONTEXT_MESSAGE_SECURITY_BINDING contextBinding = {

        {WS_SECURITY_CONTEXT_MESSAGE_SECURITY_BINDING_TYPE},

        WS_SUPPORTING_MESSAGE_SECURITY_USAGE,

        &bootstrapSecurityDescription

    };

    // declare and initialize the array of all security bindings

    WS_SECURITY_BINDING* securityBindings[2] = {

        &contextBinding.binding,

        &sslBinding.binding

    };

    // declare and initialize the security description

    WS_SECURITY_DESCRIPTION securityDescription = {

        securityBindings,

        WsCountOf(securityBindings)

    };

 

One thing to note about Kerberos AP-REQ token is that the symmetric key size can be 128-bit, as opposed to the 256-bit required in the Basic256 algorithm suite, the default used by both WWSAPI and WCF.