Re: WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account

Hi Cesar,
You can find good documentation regarding this topic in the following link

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch7_KerbTechSupp.aspRegards,Pablo Cibrarohttp://weblogs.asp.net/cibraxhttp://www.lagash.com"CESAR DE LA TORRE [MVP]" <cdltll@xxxxxxxxxxx> wrote in messagenews:55BFA492-4DEA-4015-B2FA-32899068B02B@xxxxxxxxxxxxxxxx>I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos> authentication and passing Kerberos ticket from Presentation Tier(VSTO.2005> client) to Server Tier through our Web Services (based on WSE 3.0).>> Having our WSE 3.0-WebService over Windows Server 2003, everything works> great, but, over Windows XP, I have a problem (which is documented in WSE> 3.0 help) but its workaround does not work properly (at least with my> current testing).>> The problem is that ASP.NET default user in Windows XP (ASPNET useraccount)> does not have privileges enough for running Kerberos authentication overWSE> 3.0 Web Services, so, by default, using ASPNET account, it does not work(we> get WSE910 exception).>> There is a MSFT sample where you can test it (WSSecurityKerberos) provided> with WSE 3.0 Setup.>> Also, WSE samples Help documentation says the same, and gives aworkaround:>=====================================================================================================================================================================> Running the Kerberos Sample - WSSecurityKerberos> On Microsoft® Windows® XP and Microsoft® Windows® 2000 Server, theKerberos> Security sample (WSSecurityKerberos) requires additional higher privilege> settings for the ASPNET account. There are several ways to enable this.One> is to give ASPNET account "Act as part of Operating System" privilegeusing> Local Security Setting, and then reboot the system. Another alternative is> to modify machine.config by setting the username attribute equal to"system"> in the ProcessModel element, and then reset IIS.>> NOTE: By default the policy version of the WSSecurityKerberos does notwork> and throws an exception. This is because the machine name where theservice> is running needs to be updated in the wse3policyCache.config in the> WSSecurityKerberosPolicyClient project to the machine where the service is> installed.>=====================================================================================================================================================================>> Using SYSTEM account as aspnet_wp.exe WinXP-IIS pool process identity> (changing machine.config) with WSE 3.0-Kerberos over Windows XP, does work> properly, BUT, the problem we have is that we DO NEED to run our XML Web> Service with any account (like ASPNET) except SYSTEM account (becausewe'll> need to use also AzMan / Authentication Manager and it does not work with> SYSTEM account over Windows XP, but this shouldn't be part of this> question.). The behaviour I am describing you can reproduce it just with> WSSecurityKerberos sample, without using AzMan within the same project.>> So, taking a simple look, our solution would be changing ASPNETprivileges,> enabling it to "Act as part of Operating System", using its Local Policy> "Act as part of Operating System".>> BUT, we have made it, rebooted the machine, but it does not work at all(we> get same exception). I have tested it in several Windows XP-SP2 machines> with no luck. So, do we need to do anything else to make it work withASPNET> account?. (We already gave ASPNET account "Act as part of OperatingSystem"> privilege using Local Security Setting).>> Down below you can read my different environments:>> Development Environment:> - Windows XP - SP2 (English US)> - Visual Studio 2005 Team Developer Edition (English US)> - WSE 3.0 (English US)> - IIS as Web server (it seems WSE does not work with cassini> (VS.2005 Web Server).)>> Future Production Environment> On the other hand, as I said, WSE 3.0-Kerberos works properly with Windows> Server 2003-SP1 and IIS 6.0 Pool process (w3wp.exe) default identity> (NETWORK SERVICE).>> So, to sum up:> Do I need to do anything else to make WSE 3.0 work with ASPNET accountover> Windows XP - SP2? (I already gave ASPNET account "Act as part of Operating> System" privilege using Local Security Setting and re-booted my machines).>> Thanks in advanced,>> César de la Torre> [Microsoft MVP - XML Web Services]> [MCSE] [MCT]> Software Architect>> Renacimiento> Microsoft GOLD Certifed Partner

.

Loading