WSE 3.0, kerberos

---

• From: "webrod" <rodolphe.aoustin@xxxxxxxxx>
• Date: 10 Jan 2007 07:41:29 -0800

---

Hi,

I am trying to secure a WS using WSE 3.0 and kerberos.
I used the "WSE 3.0 settings" from VS2005 with my own WS.

I have a console application which try to access a WS.
With the following configuration it works:
- WS/IIS and AD on the Windows 2003 server
- console application on a Windows XP workstation

With the following configuration it fails:
- AD on a Windows 2003 server
- console application and WS/IIS on a Windows XP workstation

Here is the error messages:
" Server unavailable, please try later"
"An error
occured processing an outgoing fault response. --->
System.Web.Services.Protocols.SoapHeaderException:
Microsoft.Web.Services3.Security.SecurityFault: SecurityContextToken is

expected but not present in the security header of the incoming
message. "
"An invalid security token was provided"
"AcceptSecurityContext call failed with the following
error message: Logon failure: unknown user name or bad password."

I have done a lot of search with google, so here is what I did:
- I have set ASPNET to act as the operating system => problem not
solved
- I have updated web.config to use another user (instead of ASPNET)
from the domain (mydomain\myuser) => problem not solved

What could be the problem??

One other thing, the problem occurs in the response.
My understanding of kerberos is that only the client has to communicate
with the KDC, not the server (I mean not the Web service).
The client gets a session ticket from the KDC + a copy (in a ticket)
which is encrypted with the private key of the service.
Then the client authenticates to the web service by providing the
encrypted session key (that only the service can decrypt) +
authenticator .
Therefore, why do I have a "Server unavailable" error (which I guess is
the KDC server) in the response of the service (the WS)??? Why does the
WS try to communicate qith the KDC to authenticate (I do not manage
authorization, just authentication)

Thanks for your help

Rod

.

---

• Prev by Date: Re: Propagating caller identity across applications from a bare ASMX Service method to a WSE3 Service method
• Next by Date: Re: Odd problem with WSE
• Previous by thread: Propagating caller identity across applications from a bare ASMX Service method to a WSE3 Service method
• Next by thread: Re: Wse3 'Add web reference' Vista 64 bit
• Index(es):
  • Date
  • Thread

---

Relevant Pages KDC error ... Testing server: Stockholm\DC01 ... The Security Account Manager failed a KDC ... Starting test: CrossRefValidation ... (microsoft.public.windows.server.active_directory) Re: KDC error ... Windows Server MVP - Directory Services ... The Security Account Manager failed a KDC ... Running partition tests on: DomainDnsZones ... (microsoft.public.windows.server.active_directory) Re: Errors on First DC in domain , want to move roles but cant. ... KDC errors. ... check if Time server is Sync, ... It also seems that you're right on the limit of 60 Days of replication ythis ... Logon failure: unknown user name or bad password. ... (microsoft.public.windows.server.active_directory) Re: error : kinit(v5) : KRB5 error code 52 while getting initial credentials ... In this XX.COM is implemented in Windows Domain Controller and KDC is existing here. ... Now here my machine is a test server. ... I need to get a ticket for my test server from KDC which is in other domain XX.COM. ... (comp.protocols.kerberos) Re: Cant connect to the 2003 dc ... Mark, have you tried ... please help me verify if the server is running Citrix Metaframe. ... When the users logon to the domain, do you receive any error messages? ... Also please send me an event log file on the client computer that is ... (microsoft.public.windows.server.networking)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.framework.webservices.enhancements  > 2007-01