Wednesday Aug 15, 2012

.NET interoperability, Kerberos, SPNEGO, Id Propagation - All things Microsoft! - OWSM 11g

One of the most common questions I run into relates to .NET/WCF interoperability with OWSM.

First - officially OWSM certifies a few interop scenarios with .NET. These are covered in the OWSM Interop guide

They key scenarios certified for interop involve Username Token, X509 Token and Kerberos Token via the WS-Security Kerberos Token Profile.

The next question I hear is around how do we do Identity Propagation when we have .NET.

Scenario#1: Identity Propagation b/w WCF Client and OWSM/Fusion Middleware using Kerberos and SAML with OSB as active intermediary

Note: Instead of OSB you can use SOA Suite as well and that would work as well.

Scenario#2: Identity Propagation b/w WCF Client and OWSM/Fusion Middleware using Kerberos with OSB as passive intermediary

Note: The passive intermediary model applies for OSB (or OEG) but not for SOA, since SOA does not support passive intermediary model.

Scenario#3: Kerbeors based Multi-hop Identity Propagation b/w WCF Client & OWSM/Fusion Middleware and OSB as active intermediary

In this scenario - customer's want to use Kerberos for Identity propagation across multiple hops. This is currently not supported.

Scenario#4: Kerbeors based Multi-hop Identity Propagation b/w WCF Client & WCF Service and OSB as active intermediary

In both scenario#3 and scenario#4 in order to use Kerberos for multi-hop end-user identity propagation, you need to support either the end user TGT or the S4U Extension. Neither of these are currently supported in OWSM.

Scenario#5: Using SAML for end-to-end identity propagation.

So another way to do end-to-end identity propagation that will work with OSB or SOA Suite is to SAML. WCF/.NET supports talking to an STS to exchange a kerberos token for a SAML token and then SAML can be used across multiple hops.


1) While this scenario has not been certified explicitly by OWSM, it should work since OWSM supports WS-Trust.

2) In the diagram I use Oracle STS but any STS can be used as long as that STS supports exchanging a Kerberos token for SAML token.

I have not listed all the possible scenarios here - but hopefully this provides a sense of what is possible today and what is not possible.


I also see a lot of questions around SPNEGO support. OWSM currently does not support SPNEGO. You can read all about SPNEGO here

One could build a custom assertion to add SPENGO support in OWSM. However you need to keep in mind that with SPNEGO unlike the WS-Security Kerberos Token Profile, the Kerberos Token is actually in the HTTP reader rather than in the SOAP WS-Security header.

So the Kerberos token is wrapped in the HTTP header under the auth-scheme called "Negotiate". The WWW-Authenticate and Authorization headers are used to communicate the SPNEGO token between client and service. This is explained in the steps below:

  1. The client requests access to a protected document on the server without any Authorization Header.
  2. Since there is no Authorization Header in the request, server responds with 401 Unauthorized and WWW-Authenticate: Negotiate.
  3. The client will use the user credentials to obtain the token and then send it to the server in the Authorization header of the new request.For e.g.,   Authorization: Negotiate a87421000000492aa874209
  4. The server will decode this token by passing it to the acceptSecContext() GSSAPI. If the context is not complete (in the case of Mutual Authentication) the server will respond with a 401 status code with a WWW-Authenticate header containing the GSS-API data. For e.g., WWW-Authentiate: Negotiate 74900a2a...
  5. The client will decode this data and send new data back to the server. This cycle will continue until the security context is established.

Since there is request/challenge model - typically the SPNEGO security model is harder to accomplish in intermediaries like OSB/OEG - if they are acting as "passive intermediaries". An active intermediary model maybe more appropriate.

For OSB itself there may be an alternate model to supporting SPNEGO. There is an excellent post from the A-Team on OSB & SPNEGO (Note: It deals with OSB 10gR3). Here is another post that covers SPNEGO


The next question that often comes up is around NTLML support.OWSM currently does not support NTLM. As this wikipedia entry on SPENGO describes - NTLM is a variant.As you can see Microsoft no longer recommends NTLM. However if customers really want to support NTLM - they can build a custom policy.


In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).


« February 2016