I'm trying to create some basic functionality of Lync/Skype Client through SIP and HTTP communication. Our tool is written in C++. I have finished authentication part for NTLM and Kerberos, but I'm having serious problems with implementing TLS-DSK authentication.
I used these tutorials:
I tried to work with my own TLS implementation (based on Windows SSPI), but I see there is a way to use web services for that part, as it is written in 1.3.3 MS-OCAUTHWS. Before I use Authentication Broker Service, I need to access Web Ticket Service to access the ticket. I have received the web ticket and I signed it.
Here is my web ticket:
<wsse:Security>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="timestamp">
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-05-12T07:47:43.3671158Z</Created>
<Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-05-12T15:44:04.3671158Z</Expires>
</wsu:Timestamp>
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7" Issuer="https://lync.domain.com:4443/108486a8-f2cf-5123-84f4-1ddecb41a6e9" IssueInstant="2016-05-12T07:47:43.368Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2016-05-12T07:47:43.367Z" NotOnOrAfter="2016-05-12T15:44:04.367Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://lync.domain.com/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2016-05-12T07:47:43.368Z">
<saml:Subject>
<saml:NameIdentifier Format="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri">sip:user@domain.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256" />
<KeyInfo>
<KeyName>108486a8-f2cf-5123-84f4-1ddecb41a6e9:8d37a331603249e</KeyName>
</KeyInfo>
<e:CipherData>
<e:CipherValue>ZZ1P9UwMNA8yX3Z0l07rWUX1Cpuh+2HJYh2fjTWlhCBMpnIT3fEzog==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>/2L09RaIuIcwF5sVHrs7jmG0sXuY0x3gOGZLnUu/ziw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>6VUfrCdK1VpXSSol1XkP2Ba/2rX6dz6o1NBEMT1LYsveYaAgoy/W16gPaJFb8TloqMZ8R+FE91opbSkSjbzwCNW+0q/SuJNYyk0j1tfdpk+URP1xpMq+P1wUVhoj++t9QAuL9ztY7YJ4IFm6nsDzq6LAZ+Ji3InbpGDmOPE/bU8lyqXaJbn6DWnPno+XrkRhSveVN1Twx7sqkbcEPRnMC089iTtNphTPJwNjeB2nRgqEsv4eSrHWB3o2wxs0rq4Xy5LnDhAbvH6hYmuLhwt5U4gDR72JTW65GuLGj5UrIv7xJVpK/O6ghp+JGCaJaP7EI2lQpztlkr7t1jpYXgANFw==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">WeGZMVqOctvQlI9rdMdRF8ArzLA=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</saml:Assertion>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#timestamp">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>YLf+iJEV9ZI7QqX4gl8WWRyrJcY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>WgXPtLNvWPal9becoTXQq+liku0=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference wsse:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
I used it in GetAndPublishCert and it worked fine (200 OK). However, when I pass the same ticket to the Authentication Broker Service, it gives me 500 Internal Server Error.
Here is my request:
POST /Reach/sip.svc/AuthBroker HTTP/1.1
Host: lync.domain.com
Content-Type: text/xml
Content-Length: 5175
SOAPAction: "http://tempuri.org/IAuthBroker/CreateAuthBrokerSession"
User-Agent: Hypersoft
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<soap:Header>
<wsa:Action>http://tempuri.org/IAuthBroker/CreateAuthBrokerSession</wsa:Action>
<wsa:MessageID>uuid:70de6ed0-5279-44db-956a-84109a5a1a95</wsa:MessageID>
<wsa:To>https://lync.domain.com/Reach/sip.svc/AuthBroker</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
+ above WebTicket
</soap:Header>
<soap:Body>
<a:CreateAuthBrokerSession xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:a="http://tempuri.org/">
<a:supportedHashAlgorithms>
<string>SHA1</string>
<string>SHA256</string>
<string>SHA384</string>
<string>SHA512</string>
</a:supportedHashAlgorithms>
</a:CreateAuthBrokerSession>
</soap:Body>
</soap:Envelope>
And this is what I'm receiving from the server:
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 572
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/8.5
X-MS-Server-Fqdn: lync.domain.com
X-MS-Correlation-Id: 2147501677
client-request-id: 6801bbde-5331-4a0d-80d4-f490186e18a1
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Powered-By: ARR/2.5
Date: Thu, 12 May 2016 07:48:25 GMT
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
<a:RelatesTo>uuid:70de6ed0-5279-44db-956a-84109a5a1a95</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</faultcode>
<faultstring xml:lang="en-US">An error occurred when verifying security for the message.</faultstring>
</s:Fault>
</s:Body>
</s:Envelope>
Do I need the different WebTicket for the Authentication Broker service? How to create the session?
I found the reason why I was getting error 500. WebTicket signing is not needed for AuthBroker, so the part with "Signature" has to be removed. Also in header, property "ReplyTo" has to be removed.
Now I'm getting 200 OK for all broker activities.