Re: Flowing Kerberos Credentials from Browser Client to Web App to Web Service App ...

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Steven --

My priorities have been adjusted; I hope to get back to this issue on
Wednesday.

As I last left off, I have 2 ASP.NET web applications running on the same
computer (W2K3 R2).

Both apps are using Integrated Windows Authentication, and have different
app pools in IIS. Each app pool is using a different Domain account as its
identity. I've run SETSPN to associate the HTTP service with *each*
identity on this computer.

Web App A is a WSE3 client of Web App B.

The basic problem is that Web App A receives 'No Logon servers available'
when it attempts, on behalf of its browser client, to call into Web App B.
The wse3policyCache.config of Web App A points its targetPrincipal to
"http/Machine" where 'Machine' is the computer name.
The <kerberoseSecurity> attributes match exactly between Web App A and Web
App B (server-side) regarding messageProtectionorder,
establishSecurityContext, etc., exactly as you show it below as it happens.

Currently, the web.config <identity> element is set to impersonate="true" in
Web App A. The browser client users are Active Directory Users on the
domain that the computer (named 'Machine') is in.

Howard

"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:uaroNARvGHA.5584@xxxxxxxxxxxxxxxxxxxxxxxx
Hello Howard,

Glad to seet you again :).

How about the previous issue in another thread, I've posted some other
information about windows AD user/certificate mapping. Does that helps
some?

As for the kerberos authentication issue you mentioned in this issue, I
think it is likely due to some configuration issue. I suggest you
currently
test on the single machine (browser, ASP.NET web1 and ASP.NET web2).

As the below error message:

=====================
I've tried all three values for <kerberos ... impresonationLevel > and
all
return flavors of InitializeSecurityContext failed - network path not
found,
or unable to establish logon session, or related.
=====================

based on my experience, it indicate the service's principal is not
configured correct for the "Kerberos" assertion. When using kerberos
assertion in WSE, we need to provide the webservice server's service
principal name in policy file. e.g.

========================
<policy name="ClientPolicy">
<kerberosSecurity establishSecurityContext="false"
requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt"
requireDerivedKeys="false" ttlInSeconds="10000">
<token>

<kerberos targetPrincipal="machinename@domainname"
impersonationLevel="Impersonation" />

</token>
<protection>
........................
</protection>
</kerberosSecurity>
<requireActionHeader />
</policy>
</policies>
========================

You can check the "targetPrincipal" attribute here to make sure it is the
correct service principal name that is recongizable in your currrent
environment(windows AD).

Also, have you installed the WSE 3.0's sdk samples? If so, there is a
"WSSecurityKerberos" sample under the following path:

C:\Program Files\Microsoft
WSE\v3.0\Samples\CS\QuickStart\Security\WSSecurityKerberos\Policy

You can test through this sample on your server machine to make it work,
thus we can get a correct WSE kerberos configuration which can be applied
to our real web application later.

In addition, for the "impersonationLevel", I suggset you use
"Identification" and "Impersonation" first since "Delegation" will require
more other security configuration in windows AD.

Please feel free to let me know if there is any other information you
wonder.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no
rights.


.

Relevant Pages

  • RE: [fw-wiz] LDAP and Kerberos?
    ... > is to provide authentication for this web app. ... authenticating a handful of web apps (one of which is bugzilla and several ... kerberos gets me nothing for sendmail or bugzilla as far as I know. ... is to make it so complicated that there are no obvious deficiencies. ...
    (Firewall-Wizards)
  • Re: Using KerberosTokens for signing/encrypting
    ... Kerberos token is retreived from KDC(Kerberos Domain Controller). ... where LESZEK is a computer name, DAN is account name ... PS. I'm writing an ASP.NET Web App which uses a Web Service ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Secure some pages and not other
    ... > wanting how to set such multi-authroized configuration in a single ASP.NET ... > web app, yes? ... > Then we can specify different authorization protections for them via t he ... > heirarchical configuration Inheritance in web.config: ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Secure some pages and not other
    ... Thanks for posting in the community! ... you're using the Formsauthentication in your ASP.NET ... wanting how to set such multi-authroized configuration in a single ASP.NET ... web app, yes? ...
    (microsoft.public.dotnet.framework.aspnet)
  • Configuration block behavior in n-tier application
    ... I have an n- tier application where a web app calls a web service to ... The Web service is configured to use the data access block. ... the context object's configuration file property points to the web ... How do i specify that the context information should be obtained from ...
    (microsoft.public.dotnet.framework.aspnet)