RE: Flowing Kerberos Credentials from Browser Client to Web App to Web Service App ...
- From: "Paul "<penauroth@xxxxxxxxxxx>
- Date: Fri, 18 Aug 2006 01:25:20 GMT
I have 3 platforms that must talk. There's an IE browser client, an ASP.NET
2.0 web application and a WSE3-based web service, running in a 2nd ASP.NET2
web application. It's unclear whether the 2 ASP.NET web applications will
be running on the same machine.
The web service uses the KerberosSecurity assertion, and the goal is to flow
the IE clent's domain credentials through to the web server application at
the end of the flow path. The middle web application uses Windows
Authentication, and we've set <identity impersonate="true"/> in that
application's web.config.
The middle application is using an App Pool identity that is a domain
account. We've run setspn on the DC to associate that domain account with
the HTTP service on the middle machine.
The web service application is using an App Pool identity, different from
the middle app, that is also a domain account. We've also run setspn on
that identity, with the HTTP service.
For purposes of our test, a single machine runs both the middle and web
service applications (obviously they use different app pools).
I've tried all three values for <kerberos ... impresonationLevel > and all
return flavors of InitializeSecurityContext failed - network path not found,
or unable to establish logon session, or related.
Am I seeing a network / Domain Controller issue or a use-of-WSE issue that I
can fix with different configuration settings?
Thanks in advance,
Howard Hoffman
Howard,
Kerberos is a very tricky mechanism to use to authenticate end users. I recently had to deal with double-hop authentication issues and have had to deal with Microsoft's inadequate documentation. Let me break it down for you as simply as possible:
1. Setup your web server to use Kerberos authentication. I believe you need to navigate to your Inetpub\AdminScripts directory via command prompt. Execute the following command: cscript adsutil.vbs set w3svc/siteid/NTAuthenticationProviders "Negotiate,NTLM"
2. Allow your domain account that will be used on the app pool trusted for delegation in AD.
3. Set the principal name for the service you intend to use for the computer object in AD: setspn -A HTTP/mymachine mydomain\username
Note: When you run the setspn -L mymachine you will not see the listing for the service/machine but it will be there.
4. Create an app pool and assign the domain account to the identity fields in place of the Network Service account.
5. Add the newly created app pool to your application virtual directory.
6. Give the domain account the same permissions assigned to the Network Service account. I believe the Network Service account requires read permissions on directories and files.
7. Add the domain account to the BUILTIN\IIS_WPG group on the web server.
That is it. I use this setup in a clustered web environment that hosts over 30 virtual directories of .NET and legacy ASP applications.
Paul
Posted from http://www.topxml.com/renntp using reNNTP: the website based NNTP reader.
.
- References:
- Flowing Kerberos Credentials from Browser Client to Web App to Web Service App ...
- From: Howard Hoffman
- Flowing Kerberos Credentials from Browser Client to Web App to Web Service App ...
- Prev by Date: Re: Content Based Routing - Long Running Web Call
- Next by Date: wsdl does not create wse3.0 version of service
- Previous by thread: Re: Flowing Kerberos Credentials from Browser Client to Web App to Web Service App ...
- Next by thread: secure a WS called via GPRS
- Index(es):
Relevant Pages
|
