Building Secure Web Services Using Windows Communication Foundation<br />Petar Vucetin<br />Senior Software Engineer<br />...
Agenda	<br />Learn how to use standard WCF security mechanisms correctly	<br />Understand appropriate scenarios for the va...
Threat Modeling<br />CIA  <br />Confidentiality<br />Integrity<br />Availability<br />STRIDE<br />Spoofing<br />Tampering<...
Security<br />Confidentiality<br />Content of the message is kept secret <br />Integrity<br />Confidence that message rece...
WCF Out of the box experience<br />Defaults to secure mode<br />Claim-based<br />Internet, Intranet and custom security sc...
Service Identity<br />Caller Identity<br />Message (WS*)<br />Host<br />WCF<br />Service<br />A<br />B<br />C<br />A<br />...
Transport Security<br />Prevents eavesdropping, tampering, and message forgery<br />Point-to-Point communication <br />SSL...
Message WS-Security<br />SOAP Envelope<br />Security Token<br />SOAP Header<br />Timestamp<br />Misc. Headers<br />Signatu...
Message Security<br />Message (WS*)<br />Caller<br />Service<br />Transport independent<br />Uses SOAP / WS-Security<br />...
Authentication<br />Caller identification<br />Windows tokens<br />Certificates<br />User Name <br />Tokens<br />Custom<br...
AuthenticationWS-Security<br />E<br />S<br />Contract &<br />Policies<br />X509<br />Certificate<br />Kerberos<br />XrML<b...
Authorization<br />What is caller allowed to do<br />WCF uses callers claims<br />Can have many<br />Windows token, SAML<b...
Claims<br />Claim<br />is a declaration made by an entity about an entity (for example, a name, identity, group, key, grou...
Partners<br />STS<br />Browser<br />WinClient<br />DMZ<br />IIS<br />INTRANET<br />Browser<br />IIS<br />WinClient<br />Ro...
Scenarios<br />Intranet<br />Direct access to service (rare) – single machine<br />Application servers – more common, dist...
Scenarios (cont.)<br />B2B<br />Crossing multiple network topologies, firewalls, port restrictions<br />Non Windows securi...
Service and Client<br />How does this stuff work?<br />configuring<br />
Security Modes<br />None. Turns security off. <br />Not recommended (default for BasicHttpBinding)<br />Transport.  <br />...
Controlling security modes <br />Name<br />Title<br />Company<br />demo<br />
Security Modes (cont.)<br />TransportWithMessageCredential. <br />Client credentials are passed with the message. Service ...
R Default<br />
WCF Channel Stack<br />Service Instance<br />WCF Runtime<br />Operation<br />Operation<br />Dispatcher<br />Channel Stack<...
Security.Mode == None<br />Service Instance<br />WCF Runtime<br />Operation<br />Operation<br />netTcpBinding<br />Dispatc...
Security.Mode == Transport<br />Service Instance<br />WCF Runtime<br />Operation<br />Operation<br />netTcpBinding<br />Di...
Security.Mode == Message<br />Service Instance<br />WCF Runtime<br />Operation<br />Operation<br />netTcpBinding<br />Disp...
Security.Mode == TransportWithMessageCredentials<br />Service Instance<br />WCF Runtime<br />Operation<br />Operation<br /...
Controlling credentials at the transport level<br />demo<br />
R Default<br />
Controlling Message Security and credentials<br />Name<br />Title<br />Company<br />demo<br />
R Default<br />
Choices<br />Choices<br />Choices<br />You confused by now?<br />
Out of the box bindingsIntranet<br />NetNamedPipeBinding<br />Limited reach – same machine, cross process<br />Fast<br />N...
Out of the box bindings (cont.)Intranet<br />NetTCPBinding<br />WCF-to-WCF scenarios<br />Fast, can add WS* features – per...
Out of the box bindings (cont.) Intranet<br />NetMsmqBinding<br />Queued work / workload leveling / Disconnected scenarios...
Out of the box bindings (cont.)  Internet<br />BasicHttpBinding<br />Interop for ASMX, support for WS-I Basic Profile 1.1<...
Out of the box bindings (cont.)  Internet<br />WsHttpBinding<br />Non Windows/WCF clients<br />Restricted Ports, firewalls...
Out of the box bindings (cont.)  Internet<br />WsFederationHttpBinding<br />share identities across multiple systems<br />...
Service and Client<br />Security Extension Points<br />customization<br />
Customization Scenarios<br />Custom security tokens<br />Custom authentication methods<br />Claims-based authorization<br ...
WCF Security Extensible Points<br />Credentials<br />Custom Security Token Manager<br />Custom Service Credentials<br />Cu...
Custom Authentication<br /> &lt;services&gt;<br />    &lt;servicename=&quot;CalculatorService&quot;<br />behaviorConfigura...
Custom Authentication<br />demo<br />
Service Config<br /> &lt;services&gt;<br />    &lt;servicename=&quot;CalculatorService&quot;<br />behaviorConfiguration=&q...
Client Config<br /> &lt;client&gt;<br />    &lt;endpointaddress=&quot;http://localhost/serv.svc/&quot;<br />bindingConfigu...
Tips & Tricks<br />VS2008 SP1 <br />
Tips & Tricks (cont.)<br />
New Services<br />NetMsmqActivator (Net.Msmq Listener Adapter)<br />Receives activation requests over the net.msmq and msm...
New Services<br />NetTcpActivator (Net.Tcp Listener Adapter)<br />Receives activation requests over the net.tcp protocol a...
Q & A<br />
Notes<br />In addition to the Walk-in and Title slides, the following slides are required<br />Please add your content and...
CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurity<br />IDesign code library - http://www.idesign.net/<b...
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be...
Valid?<br />Client Claims<br />Authority<br />Service  Claims<br />Valid?<br />Authority<br />
Upcoming SlideShare
Loading in...5
×

Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)

1,241

Published on

• Securing messages between clients and services is essential to protecting data. The Windows Communication Foundation (WCF) provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages. In this session learn how to use WCF for transfer security and access control using familiar technologies such as HTTPS, Windows integrated security, X.509 certificates, SAML, and usernames and passwords, and also new technologies such as Windows CardSpace. This session also discusses how to extend WCF security to support custom security tokens, custom authentication methods, claims-based authorization, claims transformation, and custom principals.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,241
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Transcript of "Petar Vucetin Soa312 Building Secure Web Services Using Windows Communication Foundation Tech Ed 2008 (Final)"

    1. 1.
    2. 2. Building Secure Web Services Using Windows Communication Foundation<br />Petar Vucetin<br />Senior Software Engineer<br />Vertigo<br />Session Code: SOA312<br />
    3. 3. Agenda <br />Learn how to use standard WCF security mechanisms correctly <br />Understand appropriate scenarios for the various WCF security options <br />Understand how to extend WCF security for custom applications<br />
    4. 4.
    5. 5.
    6. 6. Threat Modeling<br />CIA <br />Confidentiality<br />Integrity<br />Availability<br />STRIDE<br />Spoofing<br />Tampering<br />Repudiation<br />Information Disclosure<br />DoS<br />Elevation of Privilege<br />
    7. 7. Security<br />Confidentiality<br />Content of the message is kept secret <br />Integrity<br />Confidence that message received is the same that sender sent<br />Authentication<br />Confidence that we know caller identity<br />Confidentiality and Integrity useless without authenticity<br />
    8. 8. WCF Out of the box experience<br />Defaults to secure mode<br />Claim-based<br />Internet, Intranet and custom security scenarios<br />Secure conversations<br />Transfer<br />Message integrity and protection<br />Mutual Authentication<br />(client-&gt;service, service-&gt; client)<br />Authorization<br />
    9. 9. Service Identity<br />Caller Identity<br />Message (WS*)<br />Host<br />WCF<br />Service<br />A<br />B<br />C<br />A<br />B<br />C<br />Claims<br />Policy<br />Transport (TLS, SSL, IPSec)<br />Caller<br />Service<br />Trust<br />Address – Where?<br />A<br />Binding – How?<br />B<br />Contract – What?<br />C<br />
    10. 10. Transport Security<br />Prevents eavesdropping, tampering, and message forgery<br />Point-to-Point communication <br />SSL over HTTP<br />TLS over TCP<br />Provides endpoint authentication and communications privacy using cryptography.<br />IPSEC/L2TP<br />Transport (TLS, SSL, IPSec)<br />A<br />B<br />C<br />A<br />B<br />C<br />Caller<br />Service<br />
    11. 11. Message WS-Security<br />SOAP Envelope<br />Security Token<br />SOAP Header<br />Timestamp<br />Misc. Headers<br />Signature<br />Security Header<br />Encrypted Key<br />Encrypted Data<br />SOAP Body<br />Data<br />
    12. 12. Message Security<br />Message (WS*)<br />Caller<br />Service<br />Transport independent<br />Uses SOAP / WS-Security<br />Parts of the message can be signed or encrypted. <br />All of the security information is encapsulated in the message<br />Security credentials and claims with every message. Wide set of credentials and claims supported<br />WCF requires X509 certificate<br />A<br />B<br />C<br />A<br />B<br />C<br />
    13. 13. Authentication<br />Caller identification<br />Windows tokens<br />Certificates<br />User Name <br />Tokens<br />Custom<br />Service identification (to caller)<br />Windows tokens, X.509 certificates<br />
    14. 14. AuthenticationWS-Security<br />E<br />S<br />Contract &<br />Policies<br />X509<br />Certificate<br />Kerberos<br />XrML<br />Custom<br />The service verifies that the user owns/is able to use a key that is never transmitted<br />Private Key<br />X509<br />SAML<br />
    15. 15. Authorization<br />What is caller allowed to do<br />WCF uses callers claims<br />Can have many<br />Windows token, SAML<br />Windows groups, ASP.NET providers, Custom provider<br />No good without authentication<br />
    16. 16. Claims<br />Claim<br />is a declaration made by an entity about an entity (for example, a name, identity, group, key, group, or privilege). The entity that makes the claim is referred to as a claim issuer; the entity about which the claim is made is referred to as a claim subject.<br />Defined by a triplet: type, right, resource<br />Claim issuer<br />can vouch for or endorse the claims in a security token by using its key to sign or encrypt the security token. This enables authentication of the claims in the security token.<br />
    17. 17. Partners<br />STS<br />Browser<br />WinClient<br />DMZ<br />IIS<br />INTRANET<br />Browser<br />IIS<br />WinClient<br />Router<br />
    18. 18. Scenarios<br />Intranet<br />Direct access to service (rare) – single machine<br />Application servers – more common, distributed, maybe port restrictions and firewalls<br />AD, Windows auth<br />Internet<br />Firewalled, DMZed<br />Restricted ports and routes, custom identity store<br />Maybe trusted subsystem down the line with AD/Windows auth<br />Maybe multiple authentication systems involved<br />
    19. 19. Scenarios (cont.)<br />B2B<br />Crossing multiple network topologies, firewalls, port restrictions<br />Non Windows security topologies and implementations<br />May require acquiring and using different identities<br />Maybe multiple authentication systems involved<br />Most likely service to service<br />
    20. 20.
    21. 21. Service and Client<br />How does this stuff work?<br />configuring<br />
    22. 22. Security Modes<br />None. Turns security off. <br />Not recommended (default for BasicHttpBinding)<br />Transport. <br />Uses transport security for mutual authentication and message protection. <br />Message. <br />Uses message security for mutual authentication and message protection. WCF requires X509 certificate.<br />Both. <br />Allows you to supply settings for transport and message-level security (only MSMQ supports this). <br />
    23. 23. Controlling security modes <br />Name<br />Title<br />Company<br />demo<br />
    24. 24. Security Modes (cont.)<br />TransportWithMessageCredential. <br />Client credentials are passed with the message. Service authentication, confidentiality, data integrity is provided by the transport layer. <br />TransportCredentialOnly. <br />Client credentials are passed with the transport layer and no message protection is applied.<br />
    25. 25. R Default<br />
    26. 26. WCF Channel Stack<br />Service Instance<br />WCF Runtime<br />Operation<br />Operation<br />Dispatcher<br />Channel Stack<br />Protocol<br />Protocol<br />Binding<br />Protocol<br />Encoding<br />Transport<br />
    27. 27. Security.Mode == None<br />Service Instance<br />WCF Runtime<br />Operation<br />Operation<br />netTcpBinding<br />Dispatcher<br />Channel Stack<br />TransactionFlowBinding<br />Protocol<br />Protocol<br />Binding<br />Protocol<br />BinaryMessageEncodingBinding<br />Encoding<br />TcpTransportBinding<br />Transport<br />
    28. 28. Security.Mode == Transport<br />Service Instance<br />WCF Runtime<br />Operation<br />Operation<br />netTcpBinding<br />Dispatcher<br />Channel Stack<br />TransactionFlowBinding<br />Protocol<br />Protocol<br />Binding<br />BinaryMessageEncodingBinding<br />Protocol<br />WindowsStreamSecurityBinding<br />Encoding<br />TcpTransportBinding<br />Transport<br />
    29. 29. Security.Mode == Message<br />Service Instance<br />WCF Runtime<br />Operation<br />Operation<br />netTcpBinding<br />Dispatcher<br />Channel Stack<br />TransactionFlowBinding<br />Protocol<br />Protocol<br />Binding<br />SymmetricSecurityBinding<br />Protocol<br />BinaryMessageEncodingBinding<br />Encoding<br />TcpTransportBinding<br />Transport<br />
    30. 30. Security.Mode == TransportWithMessageCredentials<br />Service Instance<br />WCF Runtime<br />Operation<br />Operation<br />netTcpBinding<br />Dispatcher<br />Channel Stack<br />TransactionFlowBinding<br />Protocol<br />TransportSecurityBinding<br />Protocol<br />Binding<br />BinaryMessageEncodingBinding<br />Protocol<br />SslStreamSecurityBinding<br />Encoding<br />TcpTransportBinding<br />Transport<br />
    31. 31. Controlling credentials at the transport level<br />demo<br />
    32. 32. R Default<br />
    33. 33. Controlling Message Security and credentials<br />Name<br />Title<br />Company<br />demo<br />
    34. 34. R Default<br />
    35. 35.
    36. 36. Choices<br />Choices<br />Choices<br />You confused by now?<br />
    37. 37. Out of the box bindingsIntranet<br />NetNamedPipeBinding<br />Limited reach – same machine, cross process<br />Fast<br />No SOAP support<br />Defaults:<br />Security Mode: Transport<br />Credentials: Windows<br />Message protection : Encrypt and Sign<br />
    38. 38. Out of the box bindings (cont.)Intranet<br />NetTCPBinding<br />WCF-to-WCF scenarios<br />Fast, can add WS* features – performance tradeoff<br />If you used COM+/DCOM use this binding<br />Load balancing – has server affinity, reduce lease timeout<br />Defaults: <br />Security Mode: Transport<br />Credentials: Windows<br />Message protection : Encrypt and Sign<br />
    39. 39. Out of the box bindings (cont.) Intranet<br />NetMsmqBinding<br />Queued work / workload leveling / Disconnected scenarios<br />Defaults:<br />Security Mode: Transport<br />Credentials: Windows<br />Message protection: Sign<br />MsmqIntegrationBinding<br />Non WCF clients<br />
    40. 40. Out of the box bindings (cont.) Internet<br />BasicHttpBinding<br />Interop for ASMX, support for WS-I Basic Profile 1.1<br />Does not support WS* stack<br />Works well with existing HTTP load balancing techniques<br />Only binding supported in Silverlight 2.0<br />Defaults:<br />Security Mode: None<br />Transport: None<br />Credentials: User Name<br />Message protection: None<br />
    41. 41. Out of the box bindings (cont.) Internet<br />WsHttpBinding<br />Non Windows/WCF clients<br />Restricted Ports, firewalls<br />Can use HTTP load balancing – Can’t use reliable session, EstablishSecurityContext == off.<br />Defaults:<br />Security Mode: Message<br />Transport: HTTP<br />Credentials: Windows<br />Message protection: Sign and Encrypt<br />
    42. 42. Out of the box bindings (cont.) Internet<br />WsFederationHttpBinding<br />share identities across multiple systems<br />Custom tokens<br />Defaults:<br />Security Mode: Message<br />Transport: HTTP<br />Credentials: Windows<br />Message protection: Sign and Encrypt<br />
    43. 43.
    44. 44. Service and Client<br />Security Extension Points<br />customization<br />
    45. 45. Customization Scenarios<br />Custom security tokens<br />Custom authentication methods<br />Claims-based authorization<br />Claims transformation<br />Custom principals<br />
    46. 46. WCF Security Extensible Points<br />Credentials<br />Custom Security Token Manager<br />Custom Service Credentials<br />Custom Client Credentials<br />Authorization<br />Service Authorization Manager<br />External Authorization Policy<br />Custom Endpoint Identity Verifier<br />Authentication<br />Security Token Authenticator<br />Security Token Provider<br />Custom Authorization Policy<br />Serialization<br />Security Token Serializer<br />Security Key Identifier Clause<br />
    47. 47. Custom Authentication<br /> &lt;services&gt;<br /> &lt;servicename=&quot;CalculatorService&quot;<br />behaviorConfiguration=&quot;ServiceCredentials&quot;&gt;<br /> &lt;endpointaddress=&quot;&quot;<br />binding=&quot;wsFederationHttpBinding&quot;<br />bindingConfiguration=&quot;requireInfoCard&quot;<br />contract=&quot;ISecureCalculator&quot; &gt;<br /> &lt;identity&gt;<br /> &lt;certificateReferencefindValue=&quot;fabrikam&quot;<br />x509FindType=&quot;FindBySubjectName&quot;<br />storeLocation=&quot;LocalMachine&quot;<br />storeName=&quot;My&quot; /&gt;<br /> &lt;/identity&gt;<br /> &lt;/endpoint&gt;<br /> &lt;/service&gt;<br /> &lt;/services&gt;<br /> &lt;bindings&gt;<br /> &lt;wsFederationHttpBinding&gt;<br /> &lt;bindingname=&quot;requireInfoCard&quot;&gt; ...&lt;/binding&gt;<br /> &lt;/wsFederationHttpBinding&gt; <br /> &lt;/bindings&gt;<br /> &lt;behaviors&gt;<br /> &lt;serviceBehaviors&gt;<br /> &lt;behaviorname=&quot;ServiceCredentials&quot;&gt;...&lt;/behavior&gt;<br /> &lt;/serviceBehaviors&gt; <br /> &lt;/behaviors&gt;<br />ISecureCalculator<br />SAML1.0<br />CalculatorService<br />http://schemas../givenname<br />http://schemas../lastname<br />&lt;behaviorname=&quot;ServiceCredentials&quot;&gt;<br /> &lt;serviceAuthorizationserviceAuthorizationManagerType=<br />“MyServiceAuthorizationManagers.SelfissuedServAuthMgr, MyServiceAuthorizationManagers&quot; /&gt;<br /> &lt;serviceCredentials&gt;<br /> &lt;serviceCertificate<br />findValue=&quot;fabrikam&quot; <br />x509FindType=&quot;FindBySubjectName&quot; <br />storeLocation=&quot;LocalMachine&quot; <br />storeName=&quot;My&quot; /&gt;<br /> &lt;issuedTokenAuthentication<br />allowUntrustedRsaIssuers=&quot;true&quot; /&gt;<br /> &lt;/serviceCredentials&gt;<br /> &lt;/behavior&gt;<br />http://schemas../self<br />http://localhost/serv.svc<br />
    48. 48. Custom Authentication<br />demo<br />
    49. 49. Service Config<br /> &lt;services&gt;<br /> &lt;servicename=&quot;CalculatorService&quot;<br />behaviorConfiguration=&quot;ServiceCredentials&quot;&gt;<br /> &lt;endpointaddress=&quot;&quot;<br />binding=&quot;wsFederationHttpBinding&quot;<br />bindingConfiguration=&quot;requireInfoCard&quot;<br />contract=&quot;ISecureCalculator&quot; &gt;<br /> &lt;identity&gt;<br /> &lt;certificateReferencefindValue=&quot;fabrikam&quot;<br />x509FindType=&quot;FindBySubjectName&quot;<br />storeLocation=&quot;LocalMachine&quot;<br />storeName=&quot;My&quot; /&gt;<br /> &lt;/identity&gt;<br /> &lt;/endpoint&gt;<br /> &lt;/service&gt;<br /> &lt;/services&gt;<br /> &lt;bindings&gt;<br /> &lt;wsFederationHttpBinding&gt;<br /> &lt;bindingname=&quot;requireInfoCard&quot;&gt; ...&lt;/binding&gt;<br /> &lt;/wsFederationHttpBinding&gt; <br /> &lt;/bindings&gt;<br /> &lt;behaviors&gt;<br /> &lt;serviceBehaviors&gt;<br /> &lt;behaviorname=&quot;ServiceCredentials&quot;&gt;...&lt;/behavior&gt;<br /> &lt;/serviceBehaviors&gt; <br /> &lt;/behaviors&gt;<br />ISecureCalculator<br />SAML1.0<br />&lt;bindingname=&quot;requireInfoCard&quot;&gt;<br /> &lt;securitymode=&quot;Message&quot;&gt;<br /> &lt;message<br />issuedTokenType=&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;&gt;<br /> &lt;claimTypeRequirements&gt;<br /> &lt;addclaimType =&quot;http://schemas../givenname&quot;/&gt;<br /> &lt;addclaimType =&quot; schemas../lastname &quot;/&gt; <br /> &lt;/claimTypeRequirements&gt;<br /> &lt;issueraddress=&quot;http://schemas.../self&quot;/&gt;<br /> &lt;/message&gt;<br /> &lt;/security&gt;<br /> &lt;/binding&gt;<br /> &lt;/wsFederationHttpBinding&gt;<br />CalculatorService<br />http://schemas../givenname<br />http://schemas../lastname<br />http://localhost/serv.svc<br />http://schemas../self<br />&lt;behaviorname=&quot;ServiceCredentials&quot;&gt;<br /> &lt;serviceCredentials&gt;<br /> &lt;serviceCertificate<br />findValue=&quot;fabrikam&quot; <br />x509FindType=&quot;FindBySubjectName&quot; <br />storeLocation=&quot;LocalMachine&quot; <br />storeName=&quot;My&quot; /&gt;<br /> &lt;issuedTokenAuthentication<br />allowUntrustedRsaIssuers=&quot;true&quot; /&gt;<br /> &lt;/serviceCredentials&gt;<br /> &lt;/behavior&gt;<br />
    50. 50. Client Config<br /> &lt;client&gt;<br /> &lt;endpointaddress=&quot;http://localhost/serv.svc/&quot;<br />bindingConfiguration=&quot;requireInfoCard&quot;<br />binding=&quot;wsFederationHttpBinding&quot;<br />contract=&quot;ISecureCalculator&quot;<br />behaviorConfiguration=&quot;ClientCredentials&quot;&gt;<br /> &lt;identity&gt;<br /> &lt;certificateReference<br />findValue=&quot;fabrikam&quot;<br />x509FindType=&quot;FindBySubjectName&quot;<br />storeLocation=&quot;CurrentUser&quot;<br />storeName=&quot;TrustedPeople&quot; /&gt;<br /> &lt;/identity&gt;<br /> &lt;/endpoint&gt;<br /> &lt;/client&gt;<br /> &lt;bindings&gt;<br /> &lt;wsFederationHttpBinding&gt;<br /> &lt;bindingname=&quot;requireInfoCard&quot;&gt;…&lt;/binding&gt;<br /> &lt;/wsFederationHttpBinding&gt;<br /> &lt;/bindings&gt;<br /> &lt;behaviors&gt;<br /> &lt;endpointBehaviors&gt;<br /> &lt;behaviorname=&quot;ClientCredentials&quot; &gt;…&lt;/behavior&gt;<br /> &lt;/endpointBehaviors&gt;<br /> &lt;/behaviors&gt;<br />ISecureCalculator<br />CalculatorService<br />SAML1.0<br />http://localhost/serv.svc<br />http://scheams../givenname<br /> &lt;behaviorname=&quot;ClientCredentials&quot; &gt;<br /> &lt;clientCredentials&gt;<br /> &lt;serviceCertificate&gt;<br /> &lt;defaultCertificate<br />findValue=&quot;fabrikam&quot; <br />x509FindType=&quot;FindBySubjectName&quot; <br />storeLocation=&quot;CurrentUser&quot; <br />storeName=&quot;TrustedPeople&quot; /&gt; <br /> &lt;authenticationrevocationMode=&quot;NoCheck“ certificateValidationMode=&quot;PeerOrChainTrust&quot; /&gt;<br /> &lt;/serviceCertificate&gt;<br /> &lt;/clientCredentials&gt;<br /> &lt;/behavior&gt;<br />http://schemas../lastname<br /> &lt;bindingname=&quot;requireInfoCard&quot;&gt;<br /> &lt;securitymode=&quot;Message&quot;&gt;<br /> &lt;messageissuedTokenType=&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;&gt;<br /> &lt;claimTypeRequirements&gt;<br /> &lt;addclaimType =&quot;http://schemas../emailaddress&quot;/&gt;<br /> &lt;addclaimType =&quot;http://schemas../givenname&quot;/&gt;<br /> &lt;/claimTypeRequirements&gt;<br /> &lt;issueraddress=&quot;http://schemas../self&quot;/&gt;<br /> &lt;/message&gt;<br /> &lt;/security&gt;<br /> &lt;/binding&gt;<br />http://madSTS.org/sts<br />
    51. 51. Tips & Tricks<br />VS2008 SP1 <br />
    52. 52. Tips & Tricks (cont.)<br />
    53. 53. New Services<br />NetMsmqActivator (Net.Msmq Listener Adapter)<br />Receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service.<br />NetPipeActivator (Net.Pipe Listener Adapter)<br />Receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service.<br />
    54. 54. New Services<br />NetTcpActivator (Net.Tcp Listener Adapter)<br />Receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service.<br />NetTcpPortSharing (Net.Tcp Port Sharing Service)<br />Provides ability to share TCP ports over the net.tcp protocol.<br />
    55. 55.
    56. 56. Q & A<br />
    57. 57. Notes<br />In addition to the Walk-in and Title slides, the following slides are required<br />Please add your content and include these in your final presentation<br />NEXT: &lt;next slide title&gt;<br />
    58. 58.
    59. 59. CodePlex WCF Secruity Guidance - http://www.codeplex.com/WCFSecurity<br />IDesign code library - http://www.idesign.net/<br />MSDN WCF demos and examples - http://wcf.netfx3.com/<br />(WCF), (WF) and Windows CardSpace Samples - MSDN http://tinyurl.com/4zvppt<br />Track Resources<br />Bloggers:<br /> Ron Jacobs, Vittorio Bertocci, Michelle Bustamante, Aaron Skonnard, etc.<br />
    60. 60.
    61. 61. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />
    62. 62. Valid?<br />Client Claims<br />Authority<br />Service Claims<br />Valid?<br />Authority<br />
    63. 63. Idenity Types<br />DNS - Use this element with X.509 certificates or Windows accounts.<br />Certificate - This element specifies a Base64-encoded X.509 certificate value to compare with the client. Also use this element when using a CardSpace as a credential to authenticate the service.<br />
    64. 64. Certificate Reference<br />RSA<br />User Principal Name<br />Service Principal Name<br />
    65. 65. Topology<br />Partners<br />STS<br />Browser<br />WinClient<br />DMZ<br />IIS<br />INTRANET<br />Browser<br />IIS<br />S2<br />WinClient<br />Router<br />S1<br />

    ×