Re: UserName and Kerberos tokens at the same time
- From: "CESAR DE LA TORRE [MVP]" <cdltll@xxxxxxxxxxx>
- Date: Wed, 21 Dec 2005 09:58:03 -0800
The only way I found to make WSSecurityKerberosPolicyService and
WSSecurityKerberosCodeService samples work is changing IIS worker process
identity to run as SYSTEM account. You need to change it at machine.config
like the following:
<processModel enable="true" userName="SYSTEM" password="AutoGenerate"/>
That way, it works properly.
It should also work with any other account like ASPNET and granting "Act as
part of Operating System" privilege to that account, but I cannot make it
work unless using SYSTEM account... :-(
--
CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]
Renacimiento
[Microsoft GOLD Certified Partner]
"Steven Cheng[MSFT]" wrote:
> Hi Nenrik,
>
> So far I can't find any other effective means to throubleshoot the problem.
> Would you try the sample kerberos application on another machine (server
> and client on the same machine) and in a proper domain environment and test
> again? Anyway, I think we need to make the example work first ...
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
> --------------------
> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
> <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
> <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
> <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx>
> <t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxx>
> <Osge9Tr9FHA.4036@xxxxxxxxxxxxxxxxxxxx>
> <#WX2Nuz9FHA.2708@xxxxxxxxxxxxxxxxxxxx>
> <dGWW$H09FHA.1236@xxxxxxxxxxxxxxxxxxxxx>
> <OFxSGH19FHA.3312@xxxxxxxxxxxxxxxxxxxx>
> <F9K7keZ#FHA.1236@xxxxxxxxxxxxxxxxxxxxx>
> Subject: Re: UserName and Kerberos tokens at the same time
> Date: Tue, 6 Dec 2005 21:36:05 +0100
> Lines: 568
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> X-RFC2646: Format=Flowed; Original
> Message-ID: <u0JfvSq#FHA.2520@xxxxxxxxxxxxxxxxxxxx>
> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> NNTP-Posting-Host: 80.63.142.94
> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.dotnet.framework.webservices.enhancements:7866
> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>
> Yes the demo application is not working at my side as well and I am logged
> in as a domain user. I have no problems accessing other network resources.
> Actually another strange thing is that the usernametoken example is working
> with no problems, I can verify against AD on the server side.
>
> Thanks Henrik
>
> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:F9K7keZ%23FHA.1236@xxxxxxxxxxxxxxxxxxxxxxxx
> > Thanks for your response Henrik,
> >
> > What makes me feeling a bit strange is that the WSE 3.0 Kerberos demo also
> > not work on your side? The build-in example program will pass the
> > clientside current logon user's security credential (as kerberos token) to
> > serverside... Are you logon the computer as a domain user when running the
> > client application?
> >
> > Thanks,
> >
> > Steven Cheng
> > Microsoft Online Support
> >
> > Get Secure! www.microsoft.com/security
> > (This posting is provided "AS IS", with no warranties, and confers no
> > rights.)
> >
> > --------------------
> > From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
> > References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
> > <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
> > <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
> > <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
> > <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
> > <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx>
> > <t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxx>
> > <Osge9Tr9FHA.4036@xxxxxxxxxxxxxxxxxxxx>
> > <#WX2Nuz9FHA.2708@xxxxxxxxxxxxxxxxxxxx>
> > <dGWW$H09FHA.1236@xxxxxxxxxxxxxxxxxxxxx>
> > Subject: Re: UserName and Kerberos tokens at the same time
> > Date: Fri, 2 Dec 2005 16:05:00 +0100
> > Lines: 499
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> > X-RFC2646: Format=Flowed; Original
> > Message-ID: <OFxSGH19FHA.3312@xxxxxxxxxxxxxxxxxxxx>
> > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> > NNTP-Posting-Host: 80.63.142.94
> > Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> > Xref: TK2MSFTNGXA02.phx.gbl
> > microsoft.public.dotnet.framework.webservices.enhancements:7818
> > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
> >
> > Hi Steven,
> >
> > Thanks again.
> >
> > I think that you are right because I would expect the standard examples to
> > work. I have tried it on a Windows 2003 server as well and there I get the
> > same error.
> >
> > My client is a Windows application and I can se that the kerberos token is
> > ok, so it is something on the server side. Maybe the IIS is validation
> > agaings a wrong source or something like that.
> >
> > Do I have to do something special on the server side (IIS, Win3K) ?
> >
> > Thanks Henrik.
> >
> >
> > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:dGWW$H09FHA.1236@xxxxxxxxxxxxxxxxxxxxxxxx
> >> Thanks for your respone and further info.
> >>
> >> I think the problem is likely due to the ASP.NET environment. Is your
> >> client application(which call the webservice) is also an asp.net
> >> application? The kerberos Security token will try establish the security
> >> token through the current exection context's security credential which
> >> must
> >> be a domain user account that can be authenticated by KDC(normally just
> >> the
> >> DC). So for ASP.NET the process identity is probably not a proper
> >> account.
> >> I would suggest you tried the code in a winform client or console
> >> application, the console app since in console or winform app, the current
> >> security context is the logon user session(which is likely a domain user
> >> ... ) ...
> >>
> >> Also, you can also check the following notes in wse documentation( if
> >> your
> >> webservice is on a machine other than win 2003 server):
> >> ====================
> >> Kerberos tokens work on computers with Windows Server 2003 or Windows XP
> >> with Service Pack 1 installed. When Windows XP is used, the account
> >> ASP.NET
> >> runs under is ASPNET by default and must be granted the Act as part of
> >> the
> >> operating system privilege. By default, the ASPNET account does not have
> >> this privilege. It is suggested that you run your Kerberos-secured Web
> >> services on Windows Server 2003. On Windows Server 2003, the Act as part
> >> of
> >> the operating system privilege is not required. On Windows XP you can
> >> configure the ASPNET account to have the Act as part of the operating
> >> system privilege using the Local Security Policy management application,
> >> but you should be aware that this affects all ASP.NET applications and
> >> results in less security for ASP.NET applications. Windows 2000 is not a
> >> supported operating system for this feature.
> >>
> >> ===================
> >>
> >> Thanks,
> >>
> >> Steven Cheng
> >> Microsoft Online Support
> >>
> >> Get Secure! www.microsoft.com/security
> >> (This posting is provided "AS IS", with no warranties, and confers no
> >> rights.)
> >>
> >>
> >>
> >> --------------------
> >> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
> >> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
> >> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
> >> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
> >> <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
> >> <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
> >> <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx>
> >> <t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxx>
> >> <Osge9Tr9FHA.4036@xxxxxxxxxxxxxxxxxxxx>
> >> Subject: Re: UserName and Kerberos tokens at the same time
> >> Date: Fri, 2 Dec 2005 13:25:57 +0100
> >> Lines: 394
> >> X-Priority: 3
> >> X-MSMail-Priority: Normal
> >> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> >> X-RFC2646: Format=Flowed; Response
> >> Message-ID: <#WX2Nuz9FHA.2708@xxxxxxxxxxxxxxxxxxxx>
> >> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> >> NNTP-Posting-Host: 80.63.142.94
> >> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
> >> Xref: TK2MSFTNGXA02.phx.gbl
> >> microsoft.public.dotnet.framework.webservices.enhancements:7813
> >> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
> >>
> >> Extra info:
> >>
> >> If I run the example Kerberos solution I get some a detailed error
> >> message:
> >>
> >> Microsoft.Web.Services3.Security.SecurityFault: An invalid security token
> >> was provided ---> System.Security.SecurityException: WSE594:
> >> AcceptSecurityContext call failed with the following error message: Logon
> >> failure: unknown user name or bad password. . at
> >>
> >
> Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosServerContext.Accep
> >> tContext(Byte[]
> >> inToken) at
> >>
> >> Does that help you in any way?
> >>
> >> "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
> >> news:Osge9Tr9FHA.4036@xxxxxxxxxxxxxxxxxxxxxxx
> >>> Hi again Steven,
> >>>
> >>> Again, thank you very much for looking into this problem for me.
> >>>
> >>> I just tried to run my test project on a colleagues machine and he gets
> >>> the same error. I guess that there is nothing special in our
> >>> environment,
> >>> we have a normal DC. I used to run kerberos authentication in wse for
> >> NET
> >>> 1.1 and there it worked fine.
> >>>
> >>> I have tried to run the two Quickstart examples:
> >>> WSSecurityKerberosPolicyService and WSSecurityKerberosCodeService and
> >>> there I get the following exception (inner exception of a soap
> >>> exception)
> >>>
> >>> "Security requirements are not satisfied because the security header is
> >>> not present in the incoming message.".
> >>>
> >>> But when I run my test project which is using a custom policy I get the
> >>> following exception:
> >>>
> >>> WSE2005: Protection requirements in KerberosAssertion are not satisfied
> >>>
> >>> I guess that it basicly is the same problem I am having the the two
> >>> solutions.
> >>>
> >>> I can see that the Kerberos is beeing generated and assigned to the
> >>> proxy.
> >>>
> >>> I am BTW running the web service on the build in ASP . NET Development
> >>> Server if that has anything to do with the problem? Has it something to
> >> do
> >>> with impersonation?
> >>>
> >>> Any ideas??
> >>>
> >>> Thanks Henrik.
> >>>
> >>>
> >>> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> >>> news:t5c47rn9FHA.4028@xxxxxxxxxxxxxxxxxxxxxxxx
> >>>> Thanks for your followup Henrik,
> >>>>
> >>>> Then, it seems that the kerberos Token is not quite attached correctly
> >>>> at
> >>>> clientside... Have you ensure that the environment is qualified of
> >>>> using
> >>>> kerberos authentication, are you in a certain domain environment with a
> >>>> KDC(or DC....) ?
> >>>>
> >>>> Regards,
> >>>>
> >>>> Steven Cheng
> >>>> Microsoft Online Support
> >>>>
> >>>> Get Secure! www.microsoft.com/security
> >>>> (This posting is provided "AS IS", with no warranties, and confers no
> >>>> rights.)
> >>>>
> >>>> --------------------
> >>>> From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
> >>>> References: <uDOvP8Q8FHA.620@xxxxxxxxxxxxxxxxxxxx>
> >>>> <eHap0QR8FHA.1000@xxxxxxxxxxxxxxxxxxxx>
> >>>> <dau3PrY8FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
> >>>> <OS79EfF9FHA.1484@xxxxxxxxxxxxxxxxxxxx>
> >>>> <7SHqboN9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
> >>>> Subject: Re: UserName and Kerberos tokens at the same time
> >>>> Date: Tue, 29 Nov 2005 20:57:13 +0100
> >>>> Lines: 285
> >>>> X-Priority: 3
> >>>> X-MSMail-Priority: Normal
> >>>> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> >>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> >>>> X-RFC2646: Format=Flowed; Original
> >>>> Message-ID: <eG42Y8R9FHA.3416@xxxxxxxxxxxxxxxxxxxx>
> >>>> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> >>>> NNTP-Posting-Host: 80.63.142.94
> >>>> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> >>>> Xref: TK2MSFTNGXA02.phx.gbl
> >>>> microsoft.public.dotnet.framework.webservices.enhancements:7770
> >>>> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
> >>>>
> >>>> Hi Steven,
> >>>>
> >>>> Thank you for your reply.
.
- References:
- Re: UserName and Kerberos tokens at the same time
- From: Steven Cheng[MSFT]
- Re: UserName and Kerberos tokens at the same time
- From: Henrik Skak Pedersen
- Re: UserName and Kerberos tokens at the same time
- From: Henrik Skak Pedersen
- Re: UserName and Kerberos tokens at the same time
- From: Steven Cheng[MSFT]
- Re: UserName and Kerberos tokens at the same time
- From: Henrik Skak Pedersen
- Re: UserName and Kerberos tokens at the same time
- From: Steven Cheng[MSFT]
- Re: UserName and Kerberos tokens at the same time
- From: Henrik Skak Pedersen
- Re: UserName and Kerberos tokens at the same time
- From: Steven Cheng[MSFT]
- Re: UserName and Kerberos tokens at the same time
- Prev by Date: WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account
- Next by Date: Re: WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account
- Previous by thread: Re: UserName and Kerberos tokens at the same time
- Next by thread: Re: UserName and Kerberos tokens at the same time
- Index(es):
Relevant Pages
|
