RE: Using kerberosSecurity Throws Security Exception

I had the same problem and the only way I made it work is with a Domain
Account with a Custom Principal Name using SetSPN.exe utility. I reported
this issue (does not work WSE 3.0 + XP-SP2 with ASPNET account) to
Microsoft-PSS in December 2005 and currently they have no reached any
solution about it (how to make it work with ASPNET account). May be WSE 3.0
documentation is wrong. Currently, they passed this issue to WSE 3.0 product
group.

BTW, with Windows Server 2003 everything works great by default (using
Network Services account for IIS process pool).

So, to sum up, yes, currently, over Windows XP-SP2, WSE 3.0-Kerberos does
not work with ASPNET account. The only way is using a Domain account with a
custom pricipal name (using Setspn.exe utility in a DC).
This way you do not need to turn off anonymous access in IIS.

--
CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]


"J. Ambrose Little" wrote:

> On a hunch, I tried turning on identity impersonation for my web app. This
> seems to have gotten me past this hurdle.
>
> To sum up:
> Turn off anonymous access in IIS Directory Security and ensure Integrated
> authentication is on for the web app.
> Set these settings in the web.config:
> <authentication mode="Windows" />
> <identity impersonate="true" />
>
> Then do the standard WSE 3 setup.
>
> No on to setting up the web service correctly... :)
>
> --
> J. Ambrose Little
> ASP.NET MVP/ASPInsider
> -----
> Non nobis Domine non nobis sed nomini Tuo da gloriam.
>
>
> "J. Ambrose Little" wrote:
>
> > I've tried to implement the kerberosSecurity turnkey scenario on my apps, and
> > I'm getting the following exception when I try to set the policy.
> >
> > Description: The application attempted to perform an operation not allowed
> > by the security policy. To grant this application the required permission
> > please contact your system administrator or change the application's trust
> > level in the configuration file.
> >
> > Exception Details: System.Security.SecurityException:
> > InitializeSecurityContext call failed with the following error message: A
> > specified logon session does not exist. It may already have been terminated.
> >
> > This is running on XP SP2, and I have granted ASPNET the right to Act as
> > part of the OS (and subsequently rebooted). I have integrated authentication
> > turned on for the web app (the client of my web service).
> >
> > What I am trying to achieve is flowing the integrated auth security token to
> > my web service. My client policy (on my web app) is below.
> >
> > <policies>
> > <extensions>
> > <extension name="kerberosSecurity"
> > type="Microsoft.Web.Services3.Design.KerberosAssertion,
> > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> > PublicKeyToken=31bf3856ad364e35" />
> > </extensions>
> > <policy name="KerberosClientPolicy">
> > <kerberosSecurity establishSecurityContext="false"
> > renewExpiredSecurityContext="true" signatureConfirmation="false"
> > protectionOrder="SignBeforeEncrypting" deriveKeys="false" actor="">
> > <token>
> > <kerberos targetPrincipal="host/DGP1FR51"
> > impersonationLevel="Identification" />
> > </token>
> > <protection>
> > <request signatureOptions="IncludeAddressing, IncludeTimestamp,
> > IncludeSoapBody" encryptBody="true" />
> > <response signatureOptions="IncludeAddressing, IncludeTimestamp,
> > IncludeSoapBody" encryptBody="true" />
> > <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
> > IncludeSoapBody" encryptBody="false" />
> > </protection>
> > </kerberosSecurity>
> > </policy>
> > </policies>
> >
> > The target machine is local and is hosting a simple web service (this is
> > just a proof of concept app).
> >
> > What else am I missing, or will the kerberos turnkey assertion not work with
> > a web app client?
> >
> > --
> > J. Ambrose Little
> > ASP.NET MVP/ASPInsider
> > -----
> > Non nobis Domine non nobis sed nomini Tuo da gloriam.
.

Relevant Pages

  • RE: Using kerberosSecurity Throws Security Exception
    ... I tried turning on identity impersonation for my web app. ... No on to setting up the web service correctly... ... My client policy is below. ... > Non nobis Domine non nobis sed nomini Tuo da gloriam. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Problem with a web service
    ... site and configuring a host header value. ... The web app is running on ... application calls a web service that exists as an application under the ... error (internal server error), which still isn't all that helpful. ...
    (microsoft.public.dotnet.general)
  • RE: SharePoint
    ... Dim strSPSite As String = "http://xxxxxxxxx"; ... Subject: SharePoint ... Do you have access to the web service code to see how it is done there? ... a Windows 2003 server with an admin account running it, ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: Asp.Net and Webservice using Impersonation/App Pools
    ... the EXE to the user account that the web service will run as? ... > webservice everything goes smoothly. ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Windows Auth to SQL Server from ATL Web Service not working...
    ...  When I hit the web service with a simple test application, ... account I'm logged on as. ... could even be the one the application pool in iis is running under) to ... this impersonation token is not passed on to the SQL Server. ...
    (microsoft.public.vc.atl)