Managing security scenarios with MSE

Topics: Usage Scenarios
Dec 10, 2008 at 11:29 AM
Edited Dec 10, 2008 at 1:07 PM

we've been evaluating MSE from past few weeks, and find that there's little information on managing different security scenarios
in MSE. IT WOULD BE OF GREAT HELP TO ALL  if someone could provide a documentation of different security concepts (MSE Virtual-Service Security Vs. Service Security)
with some examples i.e. how to ensure end-to-end security while integrating services with MSE,
for ex - if the service endpoint use netTcpBinding and message security with userName, then what are the steps needed to ensure it continue to work when vurtualized through MSE, probably exposed over https/basicHttpBinding - where do we define the "vurtual-security" of the virtualized service to be then mapped to the physical-service. 

Best Regards
Bangalore. India.
Dec 11, 2008 at 2:45 AM
The MSE Security Guide has now been added to the current June 2008 CTP release of the MSE.  This guide comes as both a document (XPS & PDF formats) along with sample source code implementing all the examples shown in the guide.  This is the initial release so we are very interested in feedback.  In addition we plan to add an end-to-end sample of at least one of the examples discussed in the guide.

Dec 11, 2008 at 12:12 PM
Edited Dec 11, 2008 at 12:57 PM
Thanks botto.

I'm beginning to understand MSE and look forward to evaluate the CTP (i am already). I was just wondering, w.r.t "Service Virtualization", how does MSE provide a CONTAINER for defining various Service Communication Protocols and Security requirements (i see it does support most common protocols, what about wsHttpFederatedBinding, any plans)? It does adress the issue of Service Location, i can see that.

But abstraction of SECURITY details from the service was something i couldn't figure out how it was implemented in MSE. That's why i felt a need for some guidance, as to how one practices security features of service in virtualized envnmt. I have worked using the Configuration Services typically in point-to-point service integration, and it provides a clean seperation of service implementation and deployment/host i.e. configurstion. Just wonder how MSE does it. Does it provide any means, or do the configurations continue to reside with the physical service ? meaning the service's security configurstions are applied as per the physical service host and not the MSE virtual host.

How should one visualize MSE runtime as,.. a virtual host for services with it's own management of service communication protocols, security, localtion and policies, or, is it extending the physical service host (i.e. being part of the services host), while providing a interface to manage location abstraction, message handling etc.

                                     [MSE Virtual-host] - Common place to manage all services and their end-points, binding(protocols, security), transformation etc
                                            /             \
                                           /               \
           [Physical Service1-host]         [Physical Service2-host]
           - Only service implementation      - Only service implementation
           - No configuration                       - No configuration

                                             [MSE Virtual-host] - Part of every physical service-host, but provides an extension and interface to manage
                                                                                  localtion indipendence, message transformation, policies etc
                                               /             \
                                              /               \
               [Physical Service1-host]         [Physical Service2-host]
               - Service implementation                  - Service implementation
               - Service Configuration                    - Service Configuration


Dec 11, 2008 at 4:00 PM

I may not understand your questions completely but I hope the following helps.

The MSE Virtual host is able to project service definitions (i.e. WSDL) that are distinctly different than the service implementation.  The differences can include message exchange pattern (request/response, one-way), message & data contracts, bindings, and security (authentication & authorization).  Within the MSE repository we store the information about how to invoke the service implementation.  When projecting a service definition with the MSE that is different than the service implementation it is common to leverage the extensibility points in the MSE to fully enable some translations from the mse to the service implementation.

The Virtual hosts in MSE allow you to manage security independently of the service implementation.  For example, we can use a WSHttpBinding with Transport security and UserName credentials at the MSE endpoint.  By defining Policy for this endpoint we can plug in the appropriate mechanism to authenticate and authorize access based on the incomming UserName credentials.  From there, the message can be forwarded to a service implementation that uses a NetTcpBinding with Windows credentials.

Ultimately the goal should be to manage security within the virtual layer since it can be layered on through policy and is indifferent to the service implementations.  If you had service implementations that were a database stored procedure, java services, MSMQ, etc.  In the MSE virtualized environment you can apply a common policy to the endpoints regardless of the fact that for each service implementation the MSE will need to use different bindings, transformation, and credentials.

If you change your underlying service implementations, you would make appropriate updates to the MSE Repository so it could continue to send messages, but ultimatly the consumers of the MSE virtual endpoints would not need to know about the change.

Hope that helps.

Dec 11, 2008 at 7:44 PM
Edited Dec 11, 2008 at 8:03 PM

Hello botto

That was very clear, it answers my question. Appretiate your time.

I hope to see some samples on security policies cos that's one of primary concerns before opting any platform. Just a Q - what happens f no security policy is applied to an endpoint in the virtual host, does the physical endpoints configuration continue to apply? I'm looking forward to fully evaluate MSE now. I see some updates to the security documents and sample code being made today, will have a look.

Best Regards


Dec 13, 2008 at 6:41 PM
Edited Dec 13, 2008 at 6:48 PM
Hello botto!

continuing on my prev question, i have been going through the latest security docuement & samples, and i hope you can help me understand their application in following scenario:

1. BasicHTTP/SSL + userName client-credentials <--> NetTcp + userName client-credentials

 - Suppose we have a physical service endpoint using NetTcpBinding, message security, userName
   client-credentials. If this was to be exposed as virtual-service endpoint in MSE which
   uses BasicHtttp over SSL and userName client-credentials, then how do we configure it
   in MSE ? 
   I see you're applying the MSE's defined certificate for the virtual-ep by implementing the 
    IServiceBehavior interface, so between the client and the MSE virtual-ep the messages are encrypted 
   by this cert.
   How do we use these sample's, for ex the EndpointSecurityBehavior sample, where should the 
   compiled assembly be deployed?


Dec 15, 2008 at 5:12 PM
When you build the sample code from the security guide deploy the dll in the same folder where MSE is installed.  One of the examples shows how to flow UserName client credentials through the MSE so that should get you going.  Since you are using SSL, you will need to set the service certificate in policy as well as make sure the cert can be used for SSL and associate it with a port.  See the links in the security guide under Common Issues if you need additional info on creating and configuring certificates for SSL.
Dec 16, 2008 at 11:52 AM
Edited Dec 16, 2008 at 2:56 PM
Thanks Botto.

Ok, I am trying to expose a physical svc (nettcpbinding) and message security username clientcredentials - as virtual endpoint with wsHttpBinding and message security and userName clientcredentials.
- I have built the Microsoft.MSE.Behaviors.Security sample as-is from the download and put the assembly in MSE runtime folder.
- Then i have edited the Microsoft.MSE.Runtime.ServiceHost's config file and added SQL connection string and enabled roles.
- I then have defined an new Binding in MSE that uses wsHttpBinding and message security with userName credentials.
- I then defined a endpoint-policy in MSE and defined behaviour to use sql-membership and role provider and service certificate.
The virtual endpoint is hosted on MSE runtime, and i'm able to browse the service's WSDL.

But when I create a service-ref using svcutil, the resulting client config doesn't contain binding of wsHttpBinding but instead has customBinding. I'm not sure if I missed any step, coul you help? Below are the MSE Runtime config changes, MSE Binding i added and policy i added.

Microsoft.MSE.Runtime.ServiceHost's config :
<system.web><roleManager enabled="true"/></system.web><connectionStrings><add name="SqlProviderConnection" connectionString="Data Source=my-server;Initial Catalog=mydb;User Id=sa;Password=xyz;"/></connectionStrings>

MSE Binding called WsHttp (message-sec):

<bindings xmlns="">
<binding name="vPgisWsHttpBinding"><security mode="Message"><message clientCredentialType="UserName"></message></security>

MSE Policy called SQL Security:

<PolicyModel xmlns="" xmlns:mse="clr-namespace:Microsoft.MSE.Runtime.Services.Behaviors;assembly=Microsoft.MSE.Runtime.Services" xmlns:x="" xmlns:wcf="clr-namespace:System.ServiceModel.Configuration;assembly=System.ServiceModel" xmlns:sec="clr-namespace:Microsoft.MSE.Behaviors.Security.Configuration;assembly=Microsoft.MSE.Behaviors.Security" xmlns:sec2="clr-namespace:Microsoft.MSE.Behaviors.Security;assembly=Microsoft.MSE.Behaviors.Security" xmlns:sys="clr-namespace:System;assembly=mscorlib">
<sec:ServiceCertificate StoreLocation="LocalMachine" StoreName="My" FindType="FindBySubjectName" FindValue="my-server">
<sec2:MembershipUserNameServiceCredentials FlowUserNameToken="True">
<sec:MembershipProvider ConnectionStringName="SqlProviderConnection" ApplicationName="/">
<sec:RoleProvider ConnectionStringName="SqlProviderConnection" ApplicationName="/">

The virtual endpoint has just one operation and is hosted on a runtime.
The generated client config looks like this: 



customBinding><binding name="svc_vPGISSoap12"><textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16" messageVersion="Soap12" writeEncoding="utf-8"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> </textMessageEncoding> <httpTransport manualAddressing="false" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous" realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false" useDefaultWebProxy="true" /></binding>
client> <endpoint address=http://my-server:9300/vPGIS binding="customBinding" bindingConfiguration="svc_vPGISSoap12" contract="svc_vPGISSoap" name="svc_vPGISSoap12" />

and continuing to use this config results in following error on client side

An error occurred while receiving the HTTP response to http://my-server:9300/vPGIS.
This could be due to the service endpoint binding not using the HTTP prot
ocol. This could also be due to an HTTP request context being aborted by the ser
ver (possibly due to the service shutting down). See server logs for more detail
The underlying connection was closed: An unexpected error occurred on a receive.

I get the same resultfor even the sample calculato service when hosted as net.tcp with membership security and roles and corresponding MSE security same as above.


Dec 16, 2008 at 3:34 PM
This is a known issue and should be fixed in our next release.  It is covered by the logged issue "Service Tester Discovering WS* Endpoints".  The issue is with how the MSE runtime projects WSDLs.  You'll need to update the client config with the proper wcf binding.  You can copy it from the binding in the MSE Management tool.
Dec 16, 2008 at 5:10 PM
Edited Dec 16, 2008 at 6:28 PM
Thanks botto.

I now manually edited my clients config as follows:
bindings><wsHttpBinding><binding name="WSHttpBinding_ICalculator" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
security mode="Message">
transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
message clientCredentialType="UserName" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" />
client><endpoint address=http://my-server:9200/vCalc binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ICalculator" contract="svc_vCalcSoap" name="svc_vCalcSoap12">
identity> <certificate encodedValue="AwAAAAEAAAAUAAAAirP8 ---DELETED FOR CLARITY ---/>
I pass the client credentials in code as folllows:     
clientProxy = new svc_vCalcSoapClient();
clientProxy.ClientCredentials.UserName.UserName =
clientProxy.ClientCredentials.UserName.Password =
int ret = clientProxy.AddIntegers(1, 2);

But I still receive FaultException as:
      The username is not provided. Specify username in ClientCredentials.

Just an observation: If I gave a wrong username or password i get the MessageSecurityException
as An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
That means the credentials are getting validated, but when i give correct credentials, it probably isn't flowing to the physical service ? Even if i stutdown the actual physical service the same exception is thrown at the line where the client proxy makes the operation call.
Here's the MSE Event-Viewer stack-trace:
Error in BeginRequest: The username is not provided. Specify username in ClientCredentials.stack trace: Server stack trace: at System.ServiceModel.ClientCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, Boolean disableInfoCard) at System.ServiceModel.ClientCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement) at System.ServiceModel.Security.SecurityProtocol.AddSupportingTokenProviders(SupportingTokenParameters supportingTokenParameters, Boolean isOptional, IList`1 providerSpecList) at
System.ServiceModel.Security.SecurityProtocol.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open()
Exception rethrown at [0]:

at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)at System.ServiceModel.ICommunicationObject.Open()
at Microsoft.MSE.Runtime.Services.Broker.BrokerServiceInstance.BeginRequest(Message message, AsyncCallback cb, Object state)





Dec 16, 2008 at 7:01 PM
Take a look at the Flowing UserName Credentails example in the security guide.  It talks about applying a policy to the channel the MSE uses to invoke the physical service.  Your previous posts didn't reference this additional policy, so my guess is you haven't applied it.  This is needed since you are spanning 2 security contexts. The Endpoint policy captures the credentials ( "MembershipUserNameServiceCredentials FlowUserNameToken="True">") and a channel policy uses the captured credentials when invoking the physical service.
Dec 16, 2008 at 8:13 PM
Right botto...just did that,, I defined a new policy as follows:

<PolicyModel xmlns="" xmlns:mse="clr-namespace:Microsoft.MSE.Runtime.Services.Behaviors;assembly=Microsoft.MSE.Runtime.Services" xmlns:x="" xmlns:wcf="clr-namespace:System.ServiceModel.Configuration;assembly=System.ServiceModel" xmlns:sec="clr-namespace:Microsoft.MSE.Security.Configuration;assembly=Microsoft.MSE.Security" xmlns:sys="clr-namespace:System;assembly=mscorlib">

<sec:IdentityAwareChannelElement IdentityFlowType="UserNameToken">





and asigned it to the channel. I get this error message now:
The tag 'IdentityAwareChannelElement' does not exist in XML namespace 'clr-names
pace:Microsoft.MSE.Security.Configuration;assembly=Microsoft.MSE.Security'. Line
 '1' Position '470'.

Dec 16, 2008 at 8:56 PM
That is a mistake in the Security guide.  The "sec" namespace should be defined as:
There are example policies defined in the source code solution under the "Examples" folder that have the correct namespace declarations. 

Likewise, some policies reference a "sec2" namespace that should be defined as:

Thanks for finding that. I'll update the document and re-post it so others don't have this problem.


Dec 17, 2008 at 7:06 AM
Edited Dec 17, 2008 at 8:07 AM
Ok thanks. It's going through now. I hope to explore more scenarios, and will
get back to you. , take care.

Just one Q: for MSE hosted endpoint with netTcpBinding, where's the right place to define the base-address i.e. for metadata exchange for client to create reference from ? Also it looks like when we apply a new policy, for ex channel policy in MSE to an imported channel, it doesn't seem to refresh the settings on the endpoint. The old endpoint does get unloaded, but doesn't seem to restart with new policies until we manually restart the mse service. And finally, when the physical service is down, the MSE seems to return an exception pointing to the physical services endpoint details such as actual address as being un-available - should the consumer know the details of the physical service like this or is it just in the ctp release?

Jan 19, 2009 at 8:58 AM
Edited Jan 19, 2009 at 9:22 AM

In a cross-domain service integration scenario, suppose we want to have a common Policy Enforcement Point (PEP), I guess
having chosen MSE for virtualization, it's the ideal place to implement PEP policies such as for Identity ?

Do you have any sample Policy XAML for STS based security in MSE?

Also what if you want to add to that policy something about service level agreements? Say, you're only allowed to use that service between the hours of 8 a.m. and 5 p.m., just as an example. Or you're only allowed to use that service 200 times a day. And as part of access control, you need to be a member of this particular group to use that service. How do you convey those things?
Jan 27, 2009 at 2:33 AM
Your questions regarding various aspects of service level agreements would be handled in custom policies you created.  These policies would be implemented probably by WCF MessageInspectors and would take into consideration the identity of the caller to determine the appropriate SLA... which could really be anything from routine requests to appropriate servers for "Platinum" customers, or limiting the total # of requests per day/hour, etc.

The MSE provides the foundation for policy based solutions you can apply across all your virtualized services.

Finally, for the STS scenario, we do not have examples at this time but this can be implemented provided you configure the correct bindings and WCF behaviors.