Propagating caller identity across applications from a bare ASMX Service method to a WSE3 Service method

We've a set of WSE3 / ASMX Services in an application. Currently, the
application is configured to use KerberosSecurity.
We've now got a new customer that is only running .NET 1.1. For purposes of
discussion, our WSE3 / ASMX application is closed for interface changes or
extension (e.g. I cannot add a new ASMX into it that does not use WSE3).

Since .NET 1.1 cannot directly call a WSE3 Web Service, our thought is to
create a Shim ASMX web service (separate application) on .NET 2.0 that
forwards calls from the .NET 1.1 clients over to the WSE3 / ASMX Service
application.

So, there are multiple hops involved:

Browser client to .NET 1.1 app (Windows authorization, <identity impersonate
= "true" />)
..NET 1.1 app to shim .NET 2.0 ASMX (Windows authorization, <identity
impersonate = "true" />).
shim .NET 2.0 ASMX to WSE3 / ASMX Service (Windows authorization,
KerberosSecurity).

For this test, all applications are running on the same computer (W2K3).
Both .NET 2.0 applications are running in the same non-default App Pool,
which uses a Domain Account for which we've run the SETSPN utility to set up
the Service Principal correctly. The .NET 1.1 application is running in a
different non-default App Pool, but is using the same Domain Account for its
identity.

Basically, it get the dreaded WSE594 error trying to call the WSE3 / ASMX
Service.

My goal is to be able to perform authorization checks on the user running
the browser at each hop. Is this possible given the .NET 1.1 / .NET 2.0 mix
I've got?

Thanks in advance,

Howard Hoffman



.