Re: making a Web Request from my server
- From: mc <mc@xxxxxxxxxxxxxxxx>
- Date: Wed, 09 Jan 2008 12:03:47 +0000
Sorry this one dropped off my radar slightly.
I'm aware of the Double hop issue and thought I had it covered, we currently authenticate via the same server against remote databases as the impersonated user fine.
If we assume (and I know it's a big assumption) that I've got the kerberos setting of the originating web server correct. Would I need to reconfigure the servers That I'm connecting to?
This is now a purely academic question as it's unlikely that I will have the time (and funding) to compete as planned.
The interim solution was to open a raw TCP/IP socket to port 80, if it fails assume the system is down. This is mostly successful but doesn't deal with an app pool that has been suspend as that still accepts connections.
Steven Cheng[MSFT] wrote:
Hi MC,.
Any progress on this issue? If there is anything else we can help, please feel free to post here.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Date: Wed, 19 Dec 2007 03:14:28 GMT
Subject: RE: making a Web Request from my server
Hi MC,
As for this issue, since you mentioned that the webrequest call in VS Test Server works, but fails in deployment environment(in IIS), I think it is likely caused by security account problem.
When running in VS Test Server, the application is running under your
logon
user account(maybe a domain account) that can be forwarded to remote machine.
However, in IIS server, the running process account is IIS service account which maybe a local account. As you said that you've use "windows authentication" and impersonate the client user. This can only make the worker thread (for processing each requesty) running under the client impersonated user, but if you make remote access(such as webrequest call
or
access remote file share), the security identity impersonated from client authenticated user can not be forwarded to a further remote machine. This is called "double hop" limitation.
For your scenario, I think the reasonable way to resolve the problem is either:
** use a domain account as the process account for your ASP.NET
application
in IIS
** programmatically impersonate(need username password credentials) when you want to send remote webrequest call
#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998351.aspx
If you want more info about double hop issue, you can have a look at the following links:
http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx
http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
- Follow-Ups:
- Re: making a Web Request from my server
- From: Steven Cheng[MSFT]
- Re: making a Web Request from my server
- Prev by Date: Re: Datagrid column width and truncating ...
- Next by Date: Re: SocketException from code not caught in try catch or Application_Error
- Previous by thread: Server Application Unavailable
- Next by thread: Re: making a Web Request from my server
- Index(es):
Relevant Pages
|
