RE: More questions about WSE 3 (Kerb policy) in a Web Farm
- From: Niels Flensted-Jensen <NielsFlenstedJensen@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 15 Aug 2006 01:39:01 -0700
Hi Anthony,
I sounds like you may already have studied the technical suplement to the
Web Service Security Guide, but in case not, have a look here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wss_ch7_kerbtechsupp.asp.
You should read about Service Princiapal Names pretty carefully or you are
likely to miss something important - at least that was my experience ;-)
In terms of delegation your service account running the Web site, should be
trusted for delegation if you use Kerberos or it won't be able to move your
users identity forward to the Web service. (Note that if you are at Windows
2003 functional level in your AD you may narrow down for which services
delegation is allowed.)
If you don't want to impersonate on your web client - which you must do, at
least when you set the Kerberos token - you may use a different WSE policy
assertion. I suggest using usernameForCertificateSecurity which out the box
will validate the username/password against you AD, and you're never need to
impersonate again. And it will work on both IIS 5 (XP) and IIS 6 without any
SPN magic!
Niels
http://blog.flensted-jensen.com
"Anthony Yott" wrote:
Folks, I need some help if anyone has any ideas..
Scenario
==========================
In my case, the server App is an ASP.NET 2.0 Web Service on Windows 2003
using WSE 3.0 and Kerberos policy. The client will be a ASP.NET 2.0 Web site
that will be located on either a Win 2000 or Win 2003 machine. The Web
Service and Web Sites will be located on a separate machine in the SAME
domain.
Questions
============================
1.) I know I'm supposed to create an SPN for a domain account and run the
web service under that account in the farm. The question is do I create a
"arbitrary" SPN or do I create a "host" SPN? Can I create both for a single
Domain account? Should I?
2.) Does the SPN Identity that the web services run under need delegation,
etc?
3.) What special considerations are needed on the client (ASP.NET 2.0 web)?
ie Do they need to run under the SPN account? Do they have to have
delegation? In testing on my machine (Win XP), if the client was ASP.NET I
had to impersonate (either in web config or in code) in order to make the
call work correctly.
Any help would be greatly appreciated
Thanks in advance,
Anthony Yott
--
Anthony Yott
- Prev by Date: Re: WSE 3.0 and AJAX
- Next by Date: Re: Flowing Kerberos Credentials from Browser Client to Web App to Web Service App ...
- Previous by thread: Re: WSE 3.0 and AJAX
- Next by thread: Re: WSE 2.0 problem ... Server Unavailable, please try again later
- Index(es):
Relevant Pages
|
