Wwsapi Windows Web Services Api Http Kerberos Client

Further adventures with the WWSAPI Beta. If you find this useful please take the time to Jot me a quick comment or note!

I decided to investigate these API’s and make a simple call to the same WebService in my previous blog post using Kerberos. I first copied the WebService inside my network so I could use Kerberos and configured the IIS 6 WebSite to use Windows Integrated authentication only.

There are several examples of using Negotiate with SSL but I did not want to use SSL. I figured all I needed to do was remove the SSL bindings from the samples… WRONG!

// use the default client credential if the thread opening the channel/proxy is impersonating,
// the thread token will be used; otherwise, the process token will be used
WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL defaultCred = {}; // zero out the struct

defaultCred.credential.credentialType = WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE;

// declare and initialize properties to set the authentication scheme to Negotiate
// Since the default scheme for WWSAPI header authentication is Negotiate, this property
// may be omitted but included for clarity.
ULONG scheme = WS_HTTP_HEADER_AUTH_SCHEME_NEGOTIATE;

WS_SECURITY_BINDING_PROPERTY headerAuthBindingProperties [1] =
{
{ WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME, &scheme, sizeof(scheme) }
};

// declare and initialize an header authentication security binding
WS_HTTP_HEADER_AUTH_SECURITY_BINDING headerAuthBinding = {}; // zero out the struct

headerAuthBinding.binding.bindingType = WS_HTTP_HEADER_AUTH_SECURITY_BINDING_TYPE;
headerAuthBinding.binding.properties = headerAuthBindingProperties;
headerAuthBinding.binding.propertyCount = WsCountOf(headerAuthBindingProperties);
headerAuthBinding.clientCredential = &defaultCred.credential;

// declare and initialize the array of all security bindings
WS_SECURITY_BINDING* securityBindings[1] = { &headerAuthBinding.binding };

// declare and initialize the security description
WS_SECURITY_DESCRIPTION securityDescription = {}; // zero out the struct
securityDescription.securityBindings = securityBindings;
securityDescription.securityBindingCount = WsCountOf(securityBindings);
securityDescription.properties = securityProperties;
securityDescription.propertyCount = WsCountOf(securityProperties);

// Create the proxy
hr = WsCreateServiceProxy(
WS_CHANNEL_TYPE_REQUEST,
WS_HTTP_CHANNEL_BINDING,
&securityDescription, // added for Negotiate
NULL,
0,
NULL,
,
&serviceProxy,
error);

</div> This looked good but failed with an error when I called the WebService method: E_INVALIDARG.

Further investigation revealed that I needed to set the WS\_PROTECTION\_LEVEL appropriately. Since the message is NOT using SSL we need to set this property as follows:

// set the protection level to none – you have to do this to avoid the error: E_INVALIDARG when you call a SOAP method
WS_PROTECTION_LEVEL protectionLevel = WS_PROTECTION_LEVEL_NONE;
WS_SECURITY_PROPERTY securityProperties[1] = {
{WS_SECURITY_PROPERTY_TRANSPORT_PROTECTION_LEVEL, &protectionLevel, sizeof(protectionLevel)}
};
 </div> and then set these on the securityDescription like this:

securityDescription.properties = securityProperties;
securityDescription.propertyCount = WsCountOf(securityProperties);

OK, home free right? No… Now I was getting this error from the call to _HelloWorld. hr 0x803d0000 The input data was not in the expected format or did not have the expected value. Since the ‘input data’ seemed to be the issue I took a Network Monitor trace and found that the difference between my anonymous test and this new Kerberos Test (other than the Negotiate headers etc…) was that the SOAP envelope looked totally different! In the Kerberos case I found this:

<s:Envelope xmlns:a=”http://www.w3.org/2005/08/addressing” xmlns:s=”http://www.w3.org/2003/05/soap-envelope“><s:Header ><a:Action s:mustUnderstand=”1″>http://tempuri.org/HelloWorld</a:Action>urn:uuid:ba48938e-97a2-4dba-9e3f-cf9378533f8f<a:To s:mustUnderstand=”1″>http://jsandershv2003/WebSite/MyWebService.asmx</a:To></s:Header><HelloWorld</a> xmlns=”http://tempuri.org/“/></s:Body></s:Envelope>

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Error:

System.Web.Services.Protocols.SoapHeaderException: SOAP header Action was not understood…

at System.Web.Services.Protocols.SoapHeaderHandling.SetHeaderMembers(SoapHeaderCollection headers,

Object target,

SoapHeaderMapping[] mappings,

SoapHeaderDirection direction, Boolean client)..

at System.Web.Services.Protocols.SoapServerProtocol.CreateServerInstance()..

at System.Web.Services.Protocols.WebServiceHandler.Invoke()..

at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()

After investigation I found that to get rid of the Messaging headers I needed to set some channel properties:

WS_CHANNEL_PROPERTY channelProperties[1];
ULONG channelPropertyCount = 0;
WS_ADDRESSING_VERSION addressingVersion = WS_ADDRESSING_VERSION_TRANSPORT;
channelProperties[channelPropertyCount].id = WS_CHANNEL_PROPERTY_ADDRESSING_VERSION;
channelProperties[channelPropertyCount].value = &addressingVersion ;
channelProperties[channelPropertyCount].valueSize = sizeof(addressingVersion );
channelPropertyCount++; // in this case only one property

// Then you pass the channelProperties and channelPropertyCount to WsCreateServiceProxy (or WsCreateChannel if you are working at channel layer).

hr = WsCreateServiceProxy(
WS_CHANNEL_TYPE_REQUEST,
WS_HTTP_CHANNEL_BINDING,
&securityDescription, // added for Negotiate
NULL,
0,
channelProperties, // channel properties
channelPropertyCount, // channel property count
&serviceProxy,
error);

</div> **Success!** **Now the complete code listing for your enjoyment ([Copy Code](javascript:CopyCode('wwsapikerbcodesection1');)):**

// WWSAPITest.cpp : Defines the entry point for the console application. // #include “stdafx.h” #include #include “.\wsdl\MyWebService.wsdl.h” int mainHttpKerb(int argc, _TCHAR* argv[]) { HRESULT hr; WS_ERROR* error; WS_HEAP* heap; WS\_SERVICE\_PROXY* serviceProxy; hr = S_OK; error = NULL; heap = NULL; serviceProxy = NULL; // Creating error object hr = WsCreateError(NULL, 0, &error); if (FAILED(hr)) { wprintf (L“Failed to create Error object\n”); return -1; } // Creating heap handle hr = WsCreateHeap(10000000, 0, NULL, 0, &heap, error); if (FAILED(hr)) { wprintf (L“Failed to create Heap object\n”); if (heap != NULL) { WsFreeHeap(heap); heap = NULL; } if (error != NULL) { WsFreeError(error); error = NULL; } return -1; } ////////////////kerberos //// declare and initialize a windows credential // use the default client credential if the thread opening the channel/proxy is impersonating, // the thread token will be used; otherwise, the process token will be used WS\_DEFAULT\_WINDOWS\_INTEGRATED\_AUTH_CREDENTIAL defaultCred = {}; // zero out the struct defaultCred.credential.credentialType = WS\_DEFAULT\_WINDOWS\_INTEGRATED\_AUTH\_CREDENTIAL\_TYPE; // declare and initialize properties to set the authentication scheme to Negotiate // Since the default scheme for WWSAPI header authentication is Negotiate, this property // may be omitted. ULONG scheme = WS\_HTTP\_HEADER\_AUTH\_SCHEME_NEGOTIATE; // set the protection level to none – you have to do this to avoid the error: E_INVALIDARG when you call a SOAP method WS\_PROTECTION\_LEVEL protectionLevel = WS\_PROTECTION\_LEVEL_NONE; WS\_SECURITY\_PROPERTY securityProperties[1] = { {WS\_SECURITY\_PROPERTY\_TRANSPORT\_PROTECTION_LEVEL, &protectionLevel, sizeof(protectionLevel)} }; WS\_SECURITY\_BINDING_PROPERTY headerAuthBindingProperties [1] = { { WS\_SECURITY\_BINDING\_PROPERTY\_HTTP\_HEADER\_AUTH_SCHEME, &scheme, sizeof(scheme) } }; // declare and initialize an header authentication security binding WS\_HTTP\_HEADER\_AUTH\_SECURITY_BINDING headerAuthBinding = {}; // zero out the struct headerAuthBinding.binding.bindingType = WS\_HTTP\_HEADER\_AUTH\_SECURITY\_BINDING\_TYPE; headerAuthBinding.binding.properties = headerAuthBindingProperties; headerAuthBinding.binding.propertyCount = WsCountOf(headerAuthBindingProperties); headerAuthBinding.clientCredential = &defaultCred.credential; // declare and initialize the array of all security bindings WS\_SECURITY\_BINDING* securityBindings[1] = { &headerAuthBinding.binding }; // declare and initialize the security description WS\_SECURITY\_DESCRIPTION securityDescription = {}; // zero out the struct securityDescription.securityBindings = securityBindings; securityDescription.securityBindingCount = WsCountOf(securityBindings); securityDescription.properties = securityProperties; securityDescription.propertyCount = WsCountOf(securityProperties); // size this array to the number of properties you will have WS\_CHANNEL\_PROPERTY channelProperties[1]; ULONG channelPropertyCount = 0; WS\_ADDRESSING\_VERSION addressingVersion = WS\_ADDRESSING\_VERSION_TRANSPORT; channelProperties[channelPropertyCount].id = WS\_CHANNEL\_PROPERTY\_ADDRESSING\_VERSION; channelProperties[channelPropertyCount].value = &addressingVersion ; channelProperties[channelPropertyCount].valueSize = sizeof(addressingVersion ); channelPropertyCount++; // add more channel properties here /*WS\_ENVELOPE\_VERSION soapVersion = WS\_ENVELOPE\_VERSION\_SOAP\_1_1; channelProperties[channelPropertyCount].id = WS\_CHANNEL\_PROPERTY\_ENVELOPE\_VERSION; channelProperties[channelPropertyCount].value = &soapVersion; channelProperties[channelPropertyCount].valueSize = sizeof(soapVersion); channelPropertyCount++;*/ // Then you pass the channelProperties and channelPropertyCount to WsCreateServiceProxy (or WsCreateChannel if you are working at channel layer). // Create the proxy hr = WsCreateServiceProxy( WS\_CHANNEL\_TYPE_REQUEST, WS\_HTTP\_CHANNEL_BINDING, &securityDescription, // added for Negotiate NULL, 0, channelProperties, // channel properties channelPropertyCount, // channel property count &serviceProxy, error); if (FAILED(hr)) { WsFreeHeap(heap); WsFreeError(error); return -1; } WS\_ENDPOINT\_ADDRESS address = {}; WS\_STRING Url = WS\_STRING_VALUE(L“http://jsandershv2003/WebSite/MyWebService.asmx”); address.url = Url; hr = WsOpenServiceProxy(serviceProxy, &address, NULL, error); if (FAILED(hr)) { WsFreeServiceProxy(serviceProxy); WsFreeHeap(heap); WsFreeError(error); return -1; } WCHAR *aResult = NULL; hr = WebServiceSoap12_HelloWorld( serviceProxy, &aResult, heap, NULL, 0, NULL, error); if (SUCCEEDED(hr)) { wprintf(L“%s\n”, aResult); } else { wprintf(L“failed\n”); } if (serviceProxy != NULL) { WsCloseServiceProxy(serviceProxy, NULL, error); WsFreeServiceProxy(serviceProxy); serviceProxy = NULL; } if (heap != NULL) { WsFreeHeap(heap); heap = NULL; } if (error != NULL) { WsFreeError(error); error = NULL; } return 0; } int _tmain(int argc, _TCHAR* argv[]) { return mainHttpKerb(argc,argv); } </div>

Jeff Sanders Technical Blog

I am a Microsoft employee that has worked on all aspects of the Web Stack for a long time. I hope these blogs are useful to you! Use this information at your own risk.

Wwsapi Windows Web Services Api Http Kerberos Client