RE: Using kerberosSecurity Throws Security Exception
- From: "josh" <josh@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 19 Jan 2006 16:18:06 -0800
I am experiencing this error while trying to use a Windows XP client
application to access a web service located on a W2k3 server. if i run the
client app on the server, it works fine. i thought since the service was
running on the server it should work even with an XP client app, but I can't
get it working. The documentation says to "Configure constrained
delegation", but I don't think I want that. I'm just trying to use the
Kerberos turnkey assertion in its simplest form. thanks!
josh
"CESAR DE LA TORRE [MVP]" wrote:
> I had the same problem and the only way I made it work is with a Domain
> Account with a Custom Principal Name using SetSPN.exe utility. I reported
> this issue (does not work WSE 3.0 + XP-SP2 with ASPNET account) to
> Microsoft-PSS in December 2005 and currently they have no reached any
> solution about it (how to make it work with ASPNET account). May be WSE 3.0
> documentation is wrong. Currently, they passed this issue to WSE 3.0 product
> group.
>
> BTW, with Windows Server 2003 everything works great by default (using
> Network Services account for IIS process pool).
>
> So, to sum up, yes, currently, over Windows XP-SP2, WSE 3.0-Kerberos does
> not work with ASPNET account. The only way is using a Domain account with a
> custom pricipal name (using Setspn.exe utility in a DC).
> This way you do not need to turn off anonymous access in IIS.
>
> --
> CESAR DE LA TORRE
> Software Architect
> [Microsoft MVP - XML Web Services]
> [MCSE] [MCT]
>
> Renacimiento
> [Microsoft GOLD Certified Partner]
>
>
> "J. Ambrose Little" wrote:
>
> > On a hunch, I tried turning on identity impersonation for my web app. This
> > seems to have gotten me past this hurdle.
> >
> > To sum up:
> > Turn off anonymous access in IIS Directory Security and ensure Integrated
> > authentication is on for the web app.
> > Set these settings in the web.config:
> > <authentication mode="Windows" />
> > <identity impersonate="true" />
> >
> > Then do the standard WSE 3 setup.
> >
> > No on to setting up the web service correctly... :)
> >
> > --
> > J. Ambrose Little
> > ASP.NET MVP/ASPInsider
> > -----
> > Non nobis Domine non nobis sed nomini Tuo da gloriam.
> >
> >
> > "J. Ambrose Little" wrote:
> >
> > > I've tried to implement the kerberosSecurity turnkey scenario on my apps, and
> > > I'm getting the following exception when I try to set the policy.
> > >
> > > Description: The application attempted to perform an operation not allowed
> > > by the security policy. To grant this application the required permission
> > > please contact your system administrator or change the application's trust
> > > level in the configuration file.
> > >
> > > Exception Details: System.Security.SecurityException:
> > > InitializeSecurityContext call failed with the following error message: A
> > > specified logon session does not exist. It may already have been terminated.
> > >
> > > This is running on XP SP2, and I have granted ASPNET the right to Act as
> > > part of the OS (and subsequently rebooted). I have integrated authentication
> > > turned on for the web app (the client of my web service).
> > >
> > > What I am trying to achieve is flowing the integrated auth security token to
> > > my web service. My client policy (on my web app) is below.
> > >
> > > <policies>
> > > <extensions>
> > > <extension name="kerberosSecurity"
> > > type="Microsoft.Web.Services3.Design.KerberosAssertion,
> > > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
> > > PublicKeyToken=31bf3856ad364e35" />
> > > </extensions>
> > > <policy name="KerberosClientPolicy">
> > > <kerberosSecurity establishSecurityContext="false"
> > > renewExpiredSecurityContext="true" signatureConfirmation="false"
> > > protectionOrder="SignBeforeEncrypting" deriveKeys="false" actor="">
> > > <token>
> > > <kerberos targetPrincipal="host/DGP1FR51"
> > > impersonationLevel="Identification" />
> > > </token>
> > > <protection>
> > > <request signatureOptions="IncludeAddressing, IncludeTimestamp,
> > > IncludeSoapBody" encryptBody="true" />
> > > <response signatureOptions="IncludeAddressing, IncludeTimestamp,
> > > IncludeSoapBody" encryptBody="true" />
> > > <fault signatureOptions="IncludeAddressing, IncludeTimestamp,
> > > IncludeSoapBody" encryptBody="false" />
> > > </protection>
> > > </kerberosSecurity>
> > > </policy>
> > > </policies>
> > >
> > > The target machine is local and is hosting a simple web service (this is
> > > just a proof of concept app).
> > >
> > > What else am I missing, or will the kerberos turnkey assertion not work with
> > > a web app client?
> > >
> > > --
> > > J. Ambrose Little
> > > ASP.NET MVP/ASPInsider
> > > -----
> > > Non nobis Domine non nobis sed nomini Tuo da gloriam.
.
- References:
- RE: Using kerberosSecurity Throws Security Exception
- From: CESAR DE LA TORRE [MVP]
- RE: Using kerberosSecurity Throws Security Exception
- Prev by Date: 1 message - 1 author
- Next by Date: Re: Building A Content Based Router Using SoapHTTPRouter
- Previous by thread: RE: Using kerberosSecurity Throws Security Exception
- Next by thread: Re: WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account
- Index(es):
Relevant Pages
|
