Passport 3.0

Since 1 April 2006, Microsoft has begun removing the old way of authenticating, called 'Passport 1.4', and has replaced it with 'Passport 3.0'. Every client that still uses Passport 1.4 will eventually receive 401 Unauthorized responses, whether using SSL or not, with an 'Account locked out' message.

The new way of authenticating uses SOAP.

Unlike Passport 1.4, only SSL works successfully. Otherwise you will receive an error (S:ClientInvalid Request).

SOAP Request

The target URL for the SOAP request is https://loginnet.passport.com/RST.srf. The server does not discriminate on User Agent.

You will need the tweener ticket from the USR TWN S command received from the NS. URL decode the ticket, then replace the commas (,) with ampersands (&). You must then XML encode (HTML encode) the username, password and ticket.

Below is an example of the SOAP request sent to the server by the official client.

POST /RST.srf HTTP/1.1\r\n
Accept: text/*\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n
Host: loginnet.passport.com\r\n
Content-Length: 3098\r\n
Connection: Keep-Alive\r\n
Cache-Control: no-cache\r\n
\r\n
<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing" xmlns:wssc="http://schemas.xmlsoap.org/ws/2004/04/sc" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust">
  <Header>
    <ps:AuthInfo xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" Id="PPAuthInfo">
      <ps:HostingApp>{7108E71A-9926-4FCB-BCC9-9A9D3F32E423}</ps:HostingApp>
      <ps:BinaryVersion>4</ps:BinaryVersion>
      <ps:UIVersion>1</ps:UIVersion>
      <ps:Cookies></ps:Cookies>
      <ps:RequestParams>AQAAAAIAAABsYwQAAAAzMDg0</ps:RequestParams>
    </ps:AuthInfo>
    <wsse:Security>
       <wsse:UsernameToken Id="user">
         <wsse:Username>alice@passport.com</wsse:Username>
         <wsse:Password>password</wsse:Password>
       </wsse:UsernameToken>
    </wsse:Security>
  </Header>
  <Body>
    <ps:RequestMultipleSecurityTokens xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" Id="RSTS">
      <wst:RequestSecurityToken Id="RST0">
        <wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
        <wsp:AppliesTo>
          <wsa:EndpointReference>
            <wsa:Address>http://Passport.NET/tb</wsa:Address>
          </wsa:EndpointReference>
        </wsp:AppliesTo>
      </wst:RequestSecurityToken>
      <wst:RequestSecurityToken Id="RST1">
       <wst:RequestType>http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue</wst:RequestType>
        <wsp:AppliesTo>
          <wsa:EndpointReference>
            <wsa:Address>messenger.msn.com</wsa:Address>
          </wsa:EndpointReference>
        </wsp:AppliesTo>
        <wsse:PolicyReference URI="?lc=1033&amp;id=507&amp;tw=40&amp;fs=1&amp;ru=http://messenger.msn.com&amp;ct=1144076956&amp;kpp=1&amp;kv=7&amp;ver=2.1.6000.1&amp;rn=NgNNrtGr&amp;tpf=de8dd66124cd310ab344aa850bc5aa9b"></wsse:PolicyReference>
      </wst:RequestSecurityToken>
    </ps:RequestMultipleSecurityTokens>
  </Body>
</Envelope>

SOAP Response

Redirect

Just as with Passport 1.4, you may get redirected to a new server. Simply connect to the new server (indicated in bold below) and re-submit your SOAP request (above).

HTTP/1.1 200 OK\r\n
Connection: close\r\n
Date: Mon, 03 Apr 2006 15:09:17 GMT\r\n
Server: Microsoft-IIS/6.0\r\n
PPServer: PPV: 30 H: BAYPPLOGN3B12 V: 0\r\n
Content-Type: text/html; charset=iso-8859-1\r\n
Expires: Mon, 03 Apr 2006 15:08:17 GMT\r\n
Cache-Control: no-cache\r\n
Pragma: no-cache\r\n
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"\r\n
Content-Length: xxx\r\n
\r\n
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S='http://schemas.xmlsoap.org/soap/envelope/' xmlns:wsse='http://schemas.xmlsoap.org/ws/2002/04/secext' xmlns:psf='http://schemas.microsoft.com/Passport/SoapServices/SOAPFault'>
  <S:Header>
    <psf:pp xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault">
      <psf:serverVersion>1</psf:serverVersion>
      <psf:authstate>0x80048800</psf:authstate>
      <psf:reqstatus>0x80048852</psf:reqstatus>
      <psf:serverInfo Path="Live1" RollingUpgradeState="Unknown" LocVersion="0" ServerTime="2006-07-20T06:06:59Z">TK2PPMLOG3B05 2006.05.16.18.44.49</psf:serverInfo>
      <psf:cookies/>
      <psf:response/>
    </psf:pp>
  </S:Header>
  <S:Fault>
    <faultcode>psf:Redirect</faultcode>
    <psf:redirectUrl>https://login.live.com/pp400/RST.srf</psf:redirectUrl>
    <faultstring>Authentication Failure</faultstring>
  </S:Fault>
</S:Envelope>

Success

If all went well, you will receive the following reply from the server. If the username or password were incorrect, you will receive a SOAP:Fault reply for each sub-request ("RequestSecurityToken") that failed.

Remember to XML decode (HTML decode) the token received (in bold below)!

HTTP/1.1 200 OK\r\n
Connection: close\r\n
Date: Mon, 03 Apr 2006 15:09:17 GMT\r\n
Server: Microsoft-IIS/6.0\r\n
PPServer: PPV: 30 H: BAYPPLOGN3B12 V: 0\r\n
Content-Type: text/html; charset=iso-8859-1\r\n
Expires: Mon, 03 Apr 2006 15:08:17 GMT\r\n
Cache-Control: no-cache\r\n
Pragma: no-cache\r\n
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"\r\n
Content-Length: 6495\r\n
\r\n
<?xml version="1.0" encoding="utf-8" ?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
  <S:Header>
    <psf:pp xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault">
      <psf:serverVersion>1</psf:serverVersion>
      <psf:PUID>  See Protocols/MSNP/Passport Unique ID for more info  </psf:PUID>
      <psf:configVersion>3.0.869.0</psf:configVersion>
      <psf:uiVersion>3.0.869.0</psf:uiVersion>
      <psf:authstate>0x48803</psf:authstate>
      <psf:reqstatus>0x0</psf:reqstatus>
      <psf:serverInfo Path="Live1" RollingUpgradeState="ExclusiveNew" LocVersion="0" ServerTime="2006-04-03T15:09:17Z">BAYPPLOGN3B12 2006.01.27.13.57.29</psf:serverInfo>
      <psf:cookies/>
      <psf:response/>
    </psf:pp>
  </S:Header>
  <S:Body>
    <wst:RequestSecurityTokenResponseCollection xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust" xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault">
      <wst:RequestSecurityTokenResponse>
        <wst:TokenType>urn:passport:legacy</wst:TokenType>
        <wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
          <wsa:EndpointReference>
            <wsa:Address>http://Passport.NET/tb</wsa:Address>
          </wsa:EndpointReference>
        </wsp:AppliesTo>
        <wst:LifeTime>
          <wsu:Created>2006-04-03T15:09:17Z</wsu:Created>
          <wsu:Expires>2006-04-04T15:09:17Z</wsu:Expires>
        </wst:LifeTime>
        <wst:RequestedSecurityToken>
          <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="BinaryDAToken0" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <EncryptionMethod algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ds:KeyName>http://Passport.NET/STS</ds:KeyName>
            </ds:KeyInfo>
            <CipherData>
              <CipherValue>AfiQDIvIPHyZ/aJmpm/hoaJCzRMYbhNZT1VZDvuoYuXpWLBVCa+dHstPX7/3qaq0YbAzROTU6mi0ovQ6BYOVD8tgwb3yzfdm6OMd77RWKpZMMc3sLKEbxzutc6tpG7euj0Y5nlIyCRUFJATcqpvOOFS3EYchcOe7UG5si/w+4CUnPk+YG/X2+lJt6yEaD7+oxu7vCueResAJoqwi2fOu/3hSh0k9Meqd4QYmaijkLZT3jy+GQu/8Jku6f+o0DiKoQzg0JYfaKV7ROfznRXWxUoUiigv7EiAcgG+Ri9kaB0E54QecOuh23mCoiowVdDexh19Ep24Am1KexozOXuLdwEsO5S3IHSdC0xZzFl3Fa4XKRFeEfeYJ6OFvTu9FoiLq+c9XX7OmroVbaOWE1Bi4C8es2bObPjkxg5JEl2M6vFlWEJUbTQ==</CipherValue>
            </CipherData>
          </EncryptedData>
        </wst:RequestedSecurityToken>
        <wst:RequestedTokenReference>
          <wsse:KeyIdentifier ValueType="urn:passport"></wsse:KeyIdentifier>
          <wsse:Reference URI="#BinaryDAToken0"></wsse:Reference>
        </wst:RequestedTokenReference>
        <wst:RequestedProofToken>
          <wst:BinarySecret>UDmOO8Ep5vU+vQUjcziMW6fI43rIeKLD</wst:BinarySecret>
        </wst:RequestedProofToken>
      </wst:RequestSecurityTokenResponse>
      <wst:RequestSecurityTokenResponse>
        <wst:TokenType>urn:passport:legacy</wst:TokenType>
        <wsp:AppliesTo xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
          <wsa:EndpointReference>
            <wsa:Address>messenger.msn.com</wsa:Address>
          </wsa:EndpointReference>
        </wsp:AppliesTo>
        <wst:LifeTime>
          <wsu:Created>2006-04-03T15:09:17Z</wsu:Created>
          <wsu:Expires>2006-04-03T15:17:37Z</wsu:Expires>
        </wst:LifeTime>
        <wst:RequestedSecurityToken>
          <wsse:BinarySecurityToken Id="PPToken1">t=7rl6lZ8V0AwqPJX7V0sI7UTeVeSI2IsNyUs54yhGxkw75Wk3FKmZPRlt5HRk5zTutPTRdA4Z0HZlSEzrNDATrJkbticILv0GB7UV1hs18Lv3!htfM2GRQhudbsLMYI2Tylbfp!3WDZYNo$&amp;p=7p*vh1jxRHI5149VnAwA9pzqQhV4NspMqdEpizzDolZdz6lDrkjisFoc4tKXlmxb5dIe7JKgr5Qmr8ULvHcU0bX6XUbcVQ4ra1dkLzpNltx47fkxjHLMJJiCFq*uOn9ijQLDNtw752hZvd0duHXMygF3y9rKDMhr27*WSs!10nbysjJ7gn70SyRWibFc1rnQlRHyCdf6ZTBhw$</wsse:BinarySecurityToken>
        </wst:RequestedSecurityToken>
        <wst:RequestedTokenReference>
          <wsse:KeyIdentifier ValueType="urn:passport"></wsse:KeyIdentifier>
          <wsse:Reference URI="#PPToken1"></wsse:Reference>
        </wst:RequestedTokenReference>
      </wst:RequestSecurityTokenResponse>
    </wst:RequestSecurityTokenResponseCollection>
  </S:Body>
</S:Envelope>

Example code

The following code has been written in pseudo code, and can be freely translated to any language, such as PHP, Perl, C, C#, etc.

var url = "https://loginnet.passport.com/RST.srf";

var ticket = url_decode("lc=1033,id=507,tw=40,fs=1,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1144678795,kpp=1,kv=7,ver=2.1.6000.1,rn=henwjH6T,tpf=9fae2e057425cab598a766a38ccd447a");
    ticket = string_replace(ticket, ",", "&");

var body = "<?xml ..... " +
           // Snip!
           "<wsse:Username>" + html_encode(user) + "</wsse:Username>" +
           "<wsse:Password>" + html_encode(password) + "</wsse:Password>" +
           // Snip!
           "<wsse:PolicyReference URI=\"?" + html_encode(ticket) + "\"></wsse:PolicyReference>" +
           // Snip!
           "</Envelope>";

var request = new HTTPRequest(url);
    request->body = body;

var response = request->get_response();

if response->succeeded then
begin
  var twnticket = response->body;
      twnticket = twnticket->getbetween("<wsse:BinarySecurityToken Id="PPToken1">", "</wsse:BinarySecurityToken>");

  return html_decode(twnticket);
end
else
  throw new Exception("Could not fetch ticket");

Implementations

Example implementations of this method are available:

• C#: PP30_SecurityToken.cs (By Eon (formerly Darkener Daemon EX))
• Java: AuthTWN.java (By Tom van der Woerdt)
• Perl: AuthPP3.pm (By Siebe "Inky" Tolsma)
• PHP: tweener.class.php (By Mark "MPMC") - Info
• PHP: wlm_pp3_class.php (By Nowan190 for ToutMessenger)
• Python: TweenerAuthetication.py (By Thomas "Turtlesoup" Dimson)
• VB .NET: PP3.vb (By Jay)