This is one of the most frequently asked questions on the newsgroups. Since Verisign and Thawte do not speak "message-based security", people are always confused about buying SSL Certificates for doing WSE or WCF. It's not just the vendors. Sometimes the people responsible for your networks are also...

On Thursday evening I gave a talk on WS Security Fundamentals in Dayton Ohio. One of the resources I point to is the PAG Guide on Securing Web Services . On the way home the next day, while sitting on the runway in PHL for 2 hours before taking off (uggh), I was reading the latest ASPNET Pro and Michele...

I was happy to find this very current slide denoting the status of the various WS-* specs. I got to use it in a WS-Security fundamentals talk that I did in Dayton Ohio last night. http://blogs.msdn.com/jevdemon/archive/2006/08/02/686515.aspx...

I learned this the hard way, as usual. We had to change the X509 Certificate that we were using for our application. That meant that the policy config file on the client and the app had to have the certificate identity defined by the findValue parameter of the X509 node. < serviceToken > < x509...

I have posted my version of the powerpoint (not the pretty MSDN version since I don't have that) and the sample code from today's Intro to WSE 3.0 webcast . You can find them on my TALKS page. Scroll down to Introduction to.... and you'll see the zip and ppt files. Thanks to all who attended! I hear...

As part of the Web Services Webcast Series , I'll be doing an Intro to WSE 3.0 tomorrow morning at 11am. It will be a 1 hour session on the key features of WSE 3.0 with as many demos as I can cram in! There's an MP3 raffle for attendees of this series. Check it out! Here is the whole series. Please don...

Kirk Allen Evans has organized some of the top WCF/Web Services gurus (and me,too!) to do a web cast series through June. For those of you securing web services TODAY, my webcast will be Overview of WSE 3.0 . June 8th at 11am EST (that's 8am PST). More info here Also oooh aah a raffle for attendees!...

This has always been a big point of confusion, both for developers (like me) and admins. SSL Certificates are misnamed. They are not for SSL only. I wish all of the CA's would just call them "Web Server Certificates". How and where you install them determines whether or not they are used for SSL. I remember...

I recorded my basic "Securing a web service with WSE 3" demo using Camtasia . There are two versions of this. In the 30 minute version (25MB), I spend a lot of time looking at config and policy files as well as tracing and debugging while implementing the security. The shorter 15 minute version (12MB...

Not only can you write web services today that can be consumed by WCF (Indigo) apps in the future, but working with WSE 3.0 today to secure your web services will also help you get a handle on many of the concepts of WCF. I have written an article for DevSource called " Using WSE 3.0 Today to Secure...

Pablo Cibraro (who should be an MVP) is, in my opinion, one of the most knowledgable WSE guys around. He is up there with Michele and Softwaremaker (who have both moved on to be WCF gurus, of course). But besides having a wealth of practical knowledge, he spends an inordinate amount of time sharing it...

I had an email today from someone asking this question. They have a web service and a client app that use WSE2 to encrypt, sign and otherwise secure their data. However, they were able to open up the asmx file, the operation and look at raw xml data in a web browser over the web. No authentication, no...

I saw this question in the newgroups and wanted to blog about it because it is a real gotcha that gotme too when I first started working with WSE 3.0. If you set the WSE 3.0 diagnostics tab to output trace files, you can get a look at the messages going out of and coming into your client as well as going...

I was pushing a new WSE 3.0 web service to a test web server. Whenever I tried to authenticate I was getting "Security Token could not be retrieved" from the server. WSE590: Failed to resolve the following Key Info ..... I knew the sample x509 server certificate was installed. I knew I had assigned read...

WSE 2.0's messaging API gave us the ability to host web services outside of IIS. Though it was very cool, I didn't dig that too much because you had to give up all of the other WSE goodness that only worked in ASMX - including security. In WSE 3.0, they changed this so that you could build ASMX web services...

Don Smith , Mark Fussell, Ron Jacobs and Dwayne Wright are doing webcasts on securing web services with wse 3.0. The first, Securing Web Services with X.509 Certificates in WSE 3.0 , is already on line. They will be doing one on Kerberos this coming Wednesday, Jan 18th, and then another with UsernameTokens...

By process of (hours of) elimination I have solved a problem that was driving me batty today! I have a WSE 3.0 enabled client app that calls a WSE enabled web service. After creating a UsernameToken, the client application was setting the credentials on the web service proxy using the generic overload...

I am sending files to a web service in a vs2005 app using, of course, WSE 3.0. The only way I knew to prove to myself that it was really going up their using MTOM was to use Simon Fell's TCP Trace program that I wrote about in this past post . Here is with the MTOM "Client On" setting. Note the MIMEBoundary...

In WSE2.0, the recommended way to do authorization, was to attach a principal with role information to a SecurityToken in a custom UsernameToken manager (which you would be using to authenticate against anything but A.D.). Then in your web method, you can just get at that principal by returning the Context...

Now that WSE 3.0 is released, the next step is WCF, so I'm happy to see that Mark Fussell has moved from Program Manager of the WSE team onto the WCF team and is working on WCF security. Don't Forget: www.acehaid.org...

For those of you who have used WSE 2.0 or all of the pre-RTM bits of WSE 3.0, we are used to having a folder with the sample certificates inside of the WSE 3.0 program folder. Not finding this with the RTM bits, I did find out where the certs were in the MSDN forums . Mark Fussell says: The sample certificates...

Christian Weyer convinced me not to update my demo computer from WSE3 October CTP to WSE3 RTM when I have my WSE3 session this afternoon. I promised not to. BUt that just takes all the fun and challenge I could have added to my day (read just a little sarcasm into that statement...) Posted from BLInk...

WSE 3.0 is now fully released . Thanks to Mark, Sidd (the two I worked with most closely) and the whole team for all the work on this great product that I love to love. Hmm, I wonder if my session on Thursday will be the first presentation to use the full release of wse 3.0? Too bad it's only a one hour...

yippee!! What this means of course is that I will be making some last minute changes to my presentation computer 1 day before I do my What's new in WSE3.0 session at DevConnections. Hey, this is bleeding edge, right? I am willing to take the risk... :-) Currently I am running VS2005 RTM with the October...

One of the interesting new features of WSE 3.0 is the use of MTOM and ability to transmit binary data as a Mime attachment. I have seen a few demos of this (one in Mark Fussell's overview video , the other, a grok talk by John Bristowe ) where they used different tcp tracing tools (check out this one...

As I prepare for my last TechED SA session, What's New in WSE 3.0, every time I hit a slide that focuses on policy or look at a policy file in the code, I think to myself "boy I love wse3 policy." I really look forward to being able to do some conference sessions on just policy or articles in the near...

From the PAG Service Orientation workspace : Just Released: October CTP featuring WSE 3.0! (10/15/2005 • News ) We invite you to check out the latest release of the Web service security patterns. This release is a substantial improvement over the past releases. We’ve added even more patterns and updated...

Sounds like Paul Glavich was trying to manually process an incoming email message and get it into the pipelline. Finally he gave in and used the built in goo: Pipeline.ProcessInputMessage(soapEnvelope) and WSE did it's magic. Apparently it was some white spaces that were eluding him, but the WSE method...

Although I missed Mark's talk at PDC last Friday, I was still highly entertained by watching (again) his WSE 3 Overview talk from the WSE 3 SDRs. Mark has a lot of fun acting out many messaging scenarios such as timing out a telephone conversation with his mother to demonstrate a new feature for SecureConversation...

I have been meaning to mention how cool and informative the info is in the WSE3 trace files. Not only does it show you the soap, but leaves a step by step trail of processing. Here is a sample file from a simple HelloWorld request being made from a client using a UsernameoverX09 policy asserstion. <...

In WSE 2.0 we had the ability to run web services over TCPIP and other transports. Did you use it? I didn't. Too confusing. Loved the demos at TechEd & PDC, though. The Messaging API has in it SoapSender and SoapReceiver, but it is disconnected from all of the security I was doing with WSE - or maybe...

Since I didn't see the release notes are not on the website for WSE3.0 Beta1, I thought I would put the key bits here. Main Features Updated from the July CTP Release Wsewsdl3.exe can now produce ASP.NET proxy clients from an ASP.NET Web service over TCP using the /type: parameter. This setting determines...

The WSE 3.0 Beta was released today (or was that yesterday). It requires the August CTP of VS2005. Too bad I'm still waiting for the VSTS version of that since only the VS2005 Express bits are available for August CTP. [thanks Nathan ] www.acehaid.org...

When I first saw the Turnkey Security Scenarios in WSE3, I was a bit skeptical as I thought it was more wizards. I hate wizards. I have now seen the light, thanks to Sidd Shenoy's awesome WSE 3.0 Policy presentation that is online. Policy is just so completely different in WSE3 than [ read more... ]...

I am still on the ancient Beta2 with WSE 3.0 June CTP, but there are new bits out. The July CTP of VS2005 came out on MSDN (for suscribers only at this point) and soon after a new release of WSE3.0 came out to go with that (i.e. this requires the July CTP of VS2005). Note that there was a small problem...

1) MSDN Web Services Developer Center is repositioned as " Web Services and Other Distributed Techonlogies " 2) Guidance on when to use which technologies to use when in building distributed apps with todays tools from Rich Turner. Steve Swartz gave an excellent session on this advice at TechEd. 3) related...

I have started watching the taped WSE 3.0 SDR presentations. Here are some of my thoughts on what I am seeing and learning [ read more ...] [A DevLife post] www.acehaid.org...

Holy blank Batman! I don't know when these went up but I just found them thanks to Carter Maslan (you know the guy who does all the cool Longhorn demos !!) I think I'll just download them all in case they are there by mistake. :-) www.acehaid.org...

I just took a look at the WSE newsgroup and noticed that there are gobs of unanswered questions up there. Hey, WSE gurus, come help out! :-) I will go take a crack at ones I am confident on over the weekend, but many are out of my scope. There are much more knowledgeable people out there than me. ( microsoft...

I do, and I was sure to look to see if he created one for WSE3.0. Yes he did. Today , in fact. My hero! TechEd Speakers Charity Auction http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=5587400881...

Mark follows up his TechEd talk with an article on the Web Services Developer Center on MSDN. What's New in WSE 3.0 . I'll be reading this one this weekend! TechEd Speakers Charity Auction http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=5587400881...

I have been playing with WSE3.0 this week and when stuffing some credentials into my web service proxy the other night, I discovered that the new wse3 namespace method for doing that makes use of generics. This *is* designed to integrate specifically with ...[ more ]... [A DevLife post] TechEd Speakers...

I'm still thinking about the Turnkey Security Scenarios I saw demonstrated by Mark Fussell at TechEd as part of the WSE3 overview. I look at these scenerios as too canned and wizard-y for me, but ... [A DevLife post] TechEd Speakers Charity Auction http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=5587400881...

Oh, boy, if only I was taking my Compaq (my whidbey travel box) with me to TechEd, I'd have something to play with on the airplane to Orlando!!!!! But I have decided to bring my tablet and that's got VS2003 on it. http://www.AcehAid.org...

When I was at Devscovery, I was chatting with Jeff Richter over dinner about the work I have been doing with WSE. He asked me why I was working with a dead-end technology. I don't think it was a critical question, but .. [A DevLife post]. http://www.AcehAid.org...

I just had a call from a client with some big problems on their server that has IIS and SQL Server on it. Their most used application that interacts directly with SQL Server was having problems - from many computers and randomly throughout the application. I watched the SQL Server profiler and saw rpc...

Since I have an interest in WS-Federation and Liberty , I found this post from Tim Bray (by way of Robert Scoble ) also notable. It's very difficult to always know what the big picture is of things like these - especially since I am pretty uninvolved in Interop still. http://www.AcehAid.org...

Rebecca Dias: WS-* and Liberty Matt Powell Excellent News around Web Service Federation Hervey Wilson Moving On...Federation Calls... Active Directory Federation Server/Indigo/WS* - cool!!! http://www.AcehAid.org...

Thanks to everyone who attended my Web Services Security and ADO.NET 2.0 sessions. I have had so much awesome feedback on the security session which I really appreciate. The ADO.NET 2 talk is also one of my favorites. I could go on for days with that one as well. If you are looking for the slides for...

Bhagvan Chougule left a comment in one of my blog posts asking how I got WSE2 to install as part of my application install for an app that uses WSE2. I remember having a hard time figuring it out the first time, too, since I had never done this with any types of apps - not just WSE. So I thought I would...

I think it's time for me to start focusing on concepts like Contract First and tools like ThinkTecture's WSCF as well as Kirk Allen Evan's new WSE2 templates . Web Methods mask messaging from us and using them in VS.NET makes me think I am working with objects. I think I have done more than enough with...

This is my bookmark to an article I really want to read, but I want to do it away from email, i.m. and the phone. It is a topic that I get stuck on because I basically understand it, but not enough to deal with more detailed questions.. Routing Secured SOAP Messages Through Multiple SOAP Intermediaries...

For those that attended my afternoon workshop at ASP.NET Connections on Sunday, thanks so much for coming. I cannot tell you how much I enjoy teaching that particular session and I hope everyone got a lot out of it. I know from talking to a bunch of you that you did!! I have posted the powerpoint for...

As I am looking at my presentation for the 3 hour workshop I am doing on WSE Security at Connections in a few weeks, I am really excited about it. This the first time I won't have to cram all of this information in a short session - or skip a lot of it. I am going to have plenty of time to go over the...

I saw via The Daily Grind that there is a new service pack for WSE 2.0 , though without installing it to see the change doc, I didn't know what was in it. Of course, WSE FAQ has all the details ! http://www.AcehAid.org...

Jerry Dennany sums up his experience with working with WSE2 for a while . I have to agree with much of what he is saying which is why I have been working hard to try to digest as much as I can and spit it out for other developers to save them some of the pain of learning how to leverage WSE2 beyond just...

My favorite method of inspecting SOAP messages when I am working with WSE2.0 is Mike Taulty's WSE 2.0 Tracing Utility. Mike had to update the tool to work with SP2. If you use this tool, and have updated to SP2, be sure to grab the new version here . You will need to modify your config files as well...

At Web Services Edge, someone asked me in the hallway about doing WSE2 Security without X509 certificates. Although there is, out of the box, support for Kerberos (which I still know nearly zip about) and you can write custom tokens as well, I think the question was really about how to do security well...

Keith Brown's new article on MSDN Online is high on my reading list and will be incorporated into my WSE2 talk at DevConnections. UsernameTokens will be much more highly used than I think was originally planned for with WSE2. http://www.AcehAid.org...

Mark Fussell writes that the Hands on Labs for WSE2 have been updated for the SP2 version, added to and released. Mark refers to the first rev of these HOLs written by Aaron Skonnard , as "without doubt the best resource for getting up to speed with understanding WSE 2.0 quickly." I couldn't agree more...

I have to say I kind of enjoyed the excuse to work in C# when I went through the WSE2 Security Hands on Lab, but it's awesome to see that it has been updated to include VB examples too . Sometimes two learning curves at once is a little too much! Posted from BLInk!...

As per Hervey . Service Pack 2 is final and available on MSDN . Posted from BLInk!...

One of the very frequently asked questions on the WSE newsgroup is "what about whidbey". Right now, you just can't use WSE 2 with Whidbey (okay so I'm having fun with these W's...). But (via Matt Powell ) Hervey says that some of the worst hindrances have been dealt with and we should be able to start...

After the XML DevCon was over, Dare Obasanjo said it's time for some best practices on web services, not just "how to". I wasn't the only one to agree. Don Smith writes today about two Web Services Don'ts . Both things that I Do. Uggh. Well kind of. Don says to put all of the business logic for a web...

Hervey had to listen to me whine about this one. I have a remote web server and could not create policy files from the settings tool. "The Security Settings Wizard can support creating Policy files for remote service." thanks! It's minor, but helpful. A quick perusal of the readme which Hervey Wilson...

I haven't even read Hervey's post yet! (and booo hooo I'm buried in ADO.NET 2.0 perf tests at the moment) but here is what's new in this pre-release which can be downloaded and checked out. Posted from BLInk!...

Each time I talk to people about WSE2 in my presentations, I mention that we are relieved of the dependency on HTTPS and not only can we work with HTTP, but we also get to work with TCPIP naturally in the API. I have seen Keith Ballinger demo this twice now but have not played with it myself and am really...

I'm so happy I don't have any *real* interop to do with WSE2 (yet). I want to learn it first, then dig into the harder stuff (and let's not forget that this harder stuff, the interop, is the true intention of the WS* specs and therefore of WSE2, even if we do find it to be a nice neat way to deal with...

I had an awful moment in my WSE talk at ASPConnections thanks to great difficulty sleeping the previous night, so I want to be sure to write out my explanation of how a digital signature works here. I have what I know is a terrific visual diagram to help explain digital signatures. What confused me when...

Hooray John Bristowe for the WSEFAQ . This will be a great resource. I highly recommend you (John) peruse the newgroups to see what types of questions people are asking - especially the over and over ones like "X509 is not an option for me/my company ...now what?" Aaaargh! :-) Posted from BLInk!...

Thanks Benjamin for this info on how to encrypt a UsernameToken . I didn't happen to see it anywhere else. I mostly liked looking at the soap message to see the effect (note that username="John", password="Doe" and I am hashing the password in both cases and then encrypting the UsernameToken in the AFTER...

Did I happen to mention that I have WSE2 running in a production app? We are replacing the old version of the app with the new one a few users at a time at the client site and on the laptops as well as at the few remote sites. They won't know the difference, but I sure do! Posted from BLInk!...

Dare Obasanjo asks for prescriptive guidance for developers on when web services and ws-* should be used. This goes past the "web services or remoting?" question that we have all seen that chart for. (sorry , can't link to an example - but surely you've seen it). I am using web services in a non-interop...

Here is a very good reason - note the writers of the comments, too. Plumbers! (by way of Casey ) Posted from BLInk!...

(re my I give up on wse2 without x509 post ) I followed another thought this morning and was able to get one form of encryption working although it's not totally satisfactory. By signing my requests with a username token (and policy automatically uses a derivedkey token of that) I can just use that token...

Since I have no idea when the admins responsible for my client's servers will put an x509 cert on the webserver, I have decided to set aside all of the work I have been doing to apply wse2 to one of their existing applications and get on with my life. I have learned a lot. I will continue to dig into...

yeah - I'm pouting. Whine whine whine...and whimper, too. I'm coming up against one brick wall after another after another trying to run some of the wse2 samples so I can try to understand how some of these things work. I don't know if I'm setting things up improperly or what. I wish I could get Don...

I have been racking my brain trying to figure out how to pass info from one managed application to another that is in a separate process. I'm thinking of all of the tools that I know how to work with and none of them make me happy. The information is user information as I have the user login to one app...

When you create a policy in an WSE2 enabled client app in Visual Studio using the WSE Settings tool, your policycache.config file will likely be in the root directory of the application development folder because that is the default setting and I know everyone loves to just use those defaults. Your app...

Here is a great analogy that is going to be very useful in helping people grok security tokens written by Steve Maine. I think it is immimently important for people to understand these building blocks that are being used in web service security, whether they go with WSE or not. Anything that can make...

Softwaremaker , Benjamin Mitchell , Sam Gentile and some others have been having a conversation about Indigo. I wanted to chime in on a particular point Benjamin made about Indigo that is also about WSE which is building up to Indigo. one of the reasons I’m so excited about Indigo is this focus...

I am taking the plunge and trying to answer some (of the simpler) questions on the WSE newsgroup. It's a little scary. I know I know this stuff (where I dare to answer) but there is this little voice in the back of my head that says “what if you don't REALLY know it and you are just misinforming...

well it wasn't a late night when I started. I had to do some reconfiguration on the machine that I am using to do my wse2 demo tomorrow night at GUVSM in Montreal. I am recreating some of these demos from scratch so I was practicing... ;-) Suddenly I was getting errors on my user of an X509 Certificate...

I have been reading a lot and looking at the sample, but not until I literally stepped through step by step in the samples for SecureConversation and CustomXMLSecurityToken that are part of the extensive list of samples provided with the WSE2 SDK, did I really start grokking things enough so that I can...