Re: AppPool + secureConversation

---

• From: "Phil Lee" <phil.lee@xxxxxxxxxxxxxxxxx>
• Date: Wed, 9 May 2007 17:19:13 +0100

---

Steven,

do you think it should be possible to call LogonUser from the web service itself?

I have tried calling it from Application_Start like this:

protected void Application_Start(object sender, EventArgs e)
{
...
if( NativeMethods.LogonUser(username, domain, password, LogonSessionType.Interactive,
LogonProvider.WinNT50, out handle) )
{
// log progress to event log

if( NativeMethods.ImpersonateLoggedOnUser(handle) )
{
// log progress to event log
}
... etc
}
}

both calls succeed, and happen before the subsequent WSE3 SecureConversation exceptions as described previously.

However if I manually log on as the user the web service works fine.

Regards
Phil Lee

"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message news:6xEQQdekHHA.4032@xxxxxxxxxxxxxxxxxxxxxxxxx

Hi Phil,

As for this WSE 3.0 secure conversation related issue, I've also met this
before and it occured when you using secure conversation(the default
setting) for your WSE service communication and configure to use a custom
app pool identity in IIS. Here is the explanation on it:

By default, WSE 3.0 will do stateful SecureCoversations, and this requires
the use of DPAPI's in order to encrypt the state of the conversation. This
state is passed with each message with the SecurityContextToken so that the
server doesn't have to maintain any state.

When your App Pool is running under a Network Service account, encrypting
using the DPAPI's will work, because it has a logon session. DPAPI's
require this logon session to exist in order to work the way WSE is using
it. While using a custom application pool identity, there is only a service
logon session(no additional interactive logon session exists), then, DPAPI
can not work correctly.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Here is also a former issue discussing on this:

http://groups.google.com/group/microsoft.public.dotnet.framework.webservices
enhancements/browse_thread/thread/9beafe7042814812/5709e2d95592a426

So far we have the following options for such scenario:

1. If you configure to use a custom account for the WSE service's
application pool, you need to manually establish an interactive logon
session for that account. For example, you can logon ther server
interactively via that custom account or use code to do logon via
interactive logon type(use the logonuser win32 API).

2. Turn off secure conversation, thus no DPAPI will need and it won't cause
problem if there is no interactive logon session exist.

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

.

---

• Follow-Ups:
  • Re: AppPool + secureConversation
    • From: Steven Cheng[MSFT]

• References:
  • AppPool + secureConversation
    • From: Phil Lee
  • RE: AppPool + secureConversation
    • From: Steven Cheng[MSFT]

• Prev by Date: Re: WSE003: The input was not a valid SOAP message while attempting basic router for SQL 2005 Reporting Services
• Next by Date: Re: AppPool + secureConversation
• Previous by thread: Re: AppPool + secureConversation
• Next by thread: Re: AppPool + secureConversation
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: AppPool + secureConversation ... As for this WSE 3.0 secure conversation related issue, ... because it has a logon session. ... logon session(no additional interactive logon session exists), then, DPAPI ... Microsoft MSDN Online Support Lead ... (microsoft.public.dotnet.framework.webservices.enhancements) Have I been hacked if... ... see Help and Support Center at ... >>An authentication package has been loaded by the Local ... >>Security Authority. ... >>used to authenticate logon attempts. ... (microsoft.public.windowsxp.security_admin) Have I been hacked if... ... see Help and Support Center at ... >An authentication package has been loaded by the Local ... >Security Authority. ... >used to authenticate logon attempts. ... (microsoft.public.windowsxp.security_admin) Have I been hacked if... ... see Help and Support Center at ... An authentication package has been loaded by the Local ... Security Authority. ... used to authenticate logon attempts. ... (microsoft.public.windowsxp.security_admin) RE: Login window vs Main window ... you'd like to add a 're-login' function in your ... I add a TextBox and two Buttons on the logon ... Shared compname As String ... Microsoft Online Community Support ... (microsoft.public.dotnet.framework.windowsforms)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)