--> Windows CardSpace Support - Impersonation Failure
18 October 2006

Windows CardSpace Support

This evening I eventually got around to finishing something on my blog I've been meaning to do for quite some time, I enabled experimental support for Windows CardSpace based logons to dotnet.org.za. (And other compliant identity selectors)

If you've got an account on the site you'll see a new option listed under your profile which will allow you to associate an Information Card with your Community Server account which can then be used for subsequent logins to the site. (For more information on how CardSpace have a look at the .NET FX3 or CardSpace sites.)

Some notes the experimental integration with the site at the moment :

  1. You'll need a recent IE 7 and .NETFX 3 RC1. Haven't tested with the Firefox or other browser plugins yet.
  2. When I initially bought the SSL certificate for the site I just bought it from GoDaddy where I usually register domains without doing a proper check which certificates they sell :( They resell Starfield certificates which is not supported by browsers out of the box so you might need to download and install their intermediate certificate from here to get CardSpace to work. I'll update this at some stage in the future, hopefully with a HA certificate - budget allowing.
  3. Both SSL and non-SSL connections to the login and profile page is allowed so you'll manually need to switch to SSL to use CardSpace. I haven't added any browser or CardSpace support checks so non-supported browsers will get an annoying "missing plug-in" warning when viewing the CardSpace enabled pages. Also forcing SSL on those pages will give all users who don't have the Starfield Intermediate certificate installed to be bombarded with certificate warnings and popups.
  4. Use at own risk. "It works on my machine" but that generally seems to be the case with software development so your mileage may differ :-) Please let me know if you run into problems.

[Update] 5. The email address field of your self-issued Infocard should match the email account used on dotnet.org.za.

[Update] 6. Make sure you imported the Starfield Intermediate certificate mentioned in step 2 as a trusted issuer. Lesson learned, won't buy cheap SSL cert again.. 

 

I'll document and upload the source code for the controls in a follow-up post later this week. In summary it consists of a couple of ASP.NET controls to take care of the plumbing like activating the ICS and processing the tokens as well as some Community Server controls to enable CardSpace integration in Community Server. The ASP.NET controls can be used seperately from CS to CardSpace enable any ASP.NET site without too much effort.

Links :

 

Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!
Filed under: ,

Comments

# Ernst Kuschke said:

Man, that is uber-cool!

Wednesday, October 18, 2006 10:46 AM
# Armand du Plessis said:

Passwords are for wimps :P

Wednesday, October 18, 2006 10:52 AM
# matt said:

I get "Error occurred processing token".

Using Vista RC2.

Wednesday, October 18, 2006 1:46 PM
# Armand du Plessis said:

Hi Matt,

I'll make the error messages more verbose. Are you possibly using a different email address on your information card than your registered email address on dotnet.org.za?

At the moment I require the two to match.

Wednesday, October 18, 2006 1:55 PM
# Thea Burger said:

Installed .NET FX3, IE 7 and Starfield cert on XP SP2.

It works and it is unbelievably cool!!! :D

Wednesday, October 18, 2006 2:14 PM
# matt said:

That's the problem then! Working!

Wednesday, October 18, 2006 4:25 PM
# Armand du Plessis said:

Thanks for testing it Matt! Glad it's working for you.

Wednesday, October 18, 2006 4:32 PM