Password Digest authentication in WSE3

Question

I was able to implement the method AuthenticateToken and authenticate the user when the given password is in plain text.

Is it possible to authenticate the user when the given password is hashed (Passworddigest)? If so, please shed some light. Thanks in advance.

Answer 1

I found the solution. Yes, it is possible to authenticate the user when the password in SOAP header is PasswordDigest.

No change in the AuthenticateToken implementation; implementation is same (returning the original password string) for both plain text and hashed password.

During debugging, I learnt that the following line in "ComputePasswordDigest(byte[] nonce, DateTime created, string secret)" method from the "Microsoft.Web.Services3.Security.Tokens.UsernameToken" object, was causing the issue to not compute the correct password digest.

byte[] bytes = Encoding.UTF8.GetBytes(XmlConvert.ToString(created.ToUniversalTime(), "yyyy-MM-ddTHH:mm:ssZ"));

I have defined the same method locally and changed the above line as follows to change the format to include milliseconds "yyyy-MM-ddTHH:mm:ss.fffZ".

And implement the "VerifyHashedPassword(UsernameToken token, string authenticatedPassword)" method from the object "Microsoft.Web.Services3.Security.Tokens.UsernameTokenManager" to call my local method instead of "ComputePasswordDigest(byte[] nonce, DateTime created, string secret)" method from "Microsoft.Web.Services3.Security.Tokens.UsernameToken" object. Now, it works like a charm.

byte[] bytes = Encoding.UTF8.GetBytes(XmlConvert.ToString(created.ToUniversalTime(), "yyyy-MM-ddTHH:mm:ss.fffZ"));