Web Services Interoprability Plugfest and Kerberos Token support in Metro

Sun participated in the latest Web Services Interoperability Plugfest hosted by Microsoft at their Redmond campus from November 6th to 8th. Harold, Jiandong and myself represented Sun at this event. Harold has a put forward a detailed entry with the details on the scenarios we tested and the results. Jiandong explains the WS-SX tests and the versions of specs they cover in his blog.

My focus at this event was to test for the first time our implementation of Kerberos Token Profile 1.1 for interoperability with .NET 3.x. The most difficult part for Kerberos interoperability turned out to be setting up the Kerberos infrastructure for trust. Once we were through this part, all the tests passed without any difficulty. The tests consisted of the following scenarios:

Basic Kerberos token tests

Kerberos Token with Derived Keys

SecureConversation with Kerberos token in Bootstrap policy

SecureConversation with Kerberos token and Derived Keys in Bootstrap policy

All these scenarios are available at the public endpoint from Microsoft at http://mssoapinterop.org/ilab/ . Harold has details on the exact tests and results in his blog.

These tests were run using a single KDC for WSIT client and WCF service and vice versa.

The Kerberos token support will release with a future release of Metro, but if you want to give it a try, you can get one of the nightlies from here. I plan to blog about setting up kerberos infrastructure and running kerberos scenarios in coming weeks.

The next step we want to try is to use different KDCs for client and service and test cross-domain security using Kerberos. We tried it this time and ran across some setup issues with DNS configurations and cross domain trust.

Comments:

Hi, could you post links to the specs for "Derived Keys"?

Posted by Nico on November 16, 2007 at 03:45 PM IST #

Derived Keys are mentioned in WS-SecureConversation spec. You can find it here: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/ws-secureconversation-1.3-os.html

Posted by Ashutosh on November 18, 2007 at 06:00 AM IST #

Hello,

I'm currently trying to combine the WS-Conversion spec, and the Kerberos Token Profile into WSS4j.

Currently I have one problem: To implement the DerivedKeyToken I need to obtain a symmetric key from Kerberos. There are two solutions, I can think of but both have problems:

- Use the kerberos session key or subkey directly. But how to obtain this from the sun jgss implementation?

- Generate a symmetric key for the P_SHA1 and send it over in the SecurityContextToken. But is this in line with the WS-SecureConversation spec?

Hope you can answer this question?

Ron

Posted by Ron van de Ven on February 29, 2008 at 05:58 AM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

ashutoshshahi

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks
Blogroll

No bookmarks in folder