Spec of TLSNego protocol

Spec of TLSNego protocol

Post by b3JvdWl » Sat, 11 Mar 2006 19:11:27


Hi,

I've been searching on the internet and basically on all the newsgroups I
could find for a specification of TLSNego, but it seems that it doesn't exist.

However this is extracted from the first RST sent by a client to a STS in
the Federation sample of the February CTP:
<t:BinaryExchange
ValueType=" http://www.yqcomputer.com/ ">FgMBAEEBAAA9AwFEEU7bqmQX+am6uK1rHXWZ+5gVbVUo/GzHPOx3WdqmIQAAFgAEAAUACgAJAGQAYgADAAYAEwASAGMBAA==</t:BinaryExchange>

I've posted this on another MSDN forums but I don't get any answer. This is
quite a blocking issue for us and before making a pay request on MSDN I would
like to be sure that this protocol is not a private spec of Microsof and that
I will get a solution.

<BinaryExchange> is part of WS-Trust but TLSNego is defenitely not part of
this standard, so I would like to understand how a STS writen without any MS
Framework (WSE or WCF) can interact with this so called interoperable
technology.

Thks for any hint aboutit!

--
Olivier ROUIT
Advance IT Tokens
 
 
 

Spec of TLSNego protocol

Post by Pablo Cibr » Sat, 11 Mar 2006 23:27:55

i Olivier,

I have already discussed this topic with you before. WCF tries to negociate
a service certificate with the protocol TLSNego when you use the binding
wsHttpBinding.
You have two ways of avoiding that behavior:

1. Disable the negotiateServiceCredentials flag on the wsHttpBinding
2. Use a custom binding, as I show below (It uses UsernameOverCertificate
but you can modify it to use MutualCertificate).

<system.serviceModel >
<client>
<endpoint name="clientendpoint"
address="http://localhost/WCFSampleService/service.svc"
binding="wsFederationHttpBinding"
contract="IHelloWorld"
behaviorConfiguration="ServiceBehavior"
bindingConfiguration="ServiceBinding">
<identity>
<dns value="WCFQuickstartServer"/>
</identity>
</endpoint>
</client>

<bindings>

<customBinding>
<binding name="UsernameBinding">
<security authenticationMode="UserNameForCertificate"
requireSignatureConfirmation="false"
messageProtectionOrder ="SignBeforeEncryptAndEncryptSignature"
requireDerivedKeys="true">
</security>
<httpTransport/>
</binding>
</customBinding>

<wsFederationHttpBinding>
<binding name="ServiceBinding">
<security mode="Message">
<message
issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
negotiateServiceCredential="false">
<!-- Uncomment this section to ask for specific claims to the STS
<claims>
<add claimType
="http://schemas.microsoft.com/ws/2005/05/identity/claims/EmailAddress"/>
<add claimType
="http://schemas.microsoft.com/ws/2005/05/identity/claims/GivenName"/>
<add claimType
="http://schemas.microsoft.com/ws/2005/05/identity/claims/Surname"/>
</claims>
-->

<issuer
address="http://localhost/WCFSecurityTokenService/service.svc"
bindingConfiguration="UsernameBinding"
binding="customBinding">
<identity>
<dns value="WCFQuickstartServer"/>
</identity>
</issuer>
</message>
</security>
</binding>
</wsFederationHttpBinding>
</bindings>
<behaviors>
<behavior name="ServiceBehavior">
<clientCredentials>

<serviceCertificate>
<defaultCertificate findValue="CN=WCFQuickstartServer"
storeLocation="LocalMachine" storeName="My"
x509FindType="FindBySubjectDistinguishedName"/>
<authentication revocationMode="NoCheck"
certificateValidationMode="None"></authentication>
</serviceCertificate>
</clientCredentials>
</behavior>
</behaviors>
</system.serviceModel>

This works on the February CTP.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax


"orouit" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...