WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account

I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos
authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005
client) to Server Tier through our Web Services (based on WSE 3.0).

Having our WSE 3.0-WebService over Windows Server 2003, everything works
great, but, over Windows XP, I have a problem (which is documented in WSE
3.0 help) but its workaround does not work properly (at least with my
current testing).

The problem is that ASP.NET default user in Windows XP (ASPNET user account)
does not have privileges enough for running Kerberos authentication over WSE
3.0 Web Services, so, by default, using ASPNET account, it does not work (we
get WSE910 exception).

There is a MSFT sample where you can test it (WSSecurityKerberos) provided
with WSE 3.0 Setup.

Also, WSE samples Help documentation says the same, and gives a workaround:
=====================================================================================================================================================================
Running the Kerberos Sample - WSSecurityKerberos
On Microsoft® Windows® XP and Microsoft® Windows® 2000 Server, the Kerberos
Security sample (WSSecurityKerberos) requires additional higher privilege
settings for the ASPNET account. There are several ways to enable this. One
is to give ASPNET account "Act as part of Operating System" privilege using
Local Security Setting, and then reboot the system. Another alternative is
to modify machine.config by setting the username attribute equal to "system"
in the ProcessModel element, and then reset IIS.

NOTE: By default the policy version of the WSSecurityKerberos does not work
and throws an exception. This is because the machine name where the service
is running needs to be updated in the wse3policyCache.config in the
WSSecurityKerberosPolicyClient project to the machine where the service is
installed.
=====================================================================================================================================================================

Using SYSTEM account as aspnet_wp.exe WinXP-IIS pool process identity
(changing machine.config) with WSE 3.0-Kerberos over Windows XP, does work
properly, BUT, the problem we have is that we DO NEED to run our XML Web
Service with any account (like ASPNET) except SYSTEM account (because we'll
need to use also AzMan / Authentication Manager and it does not work with
SYSTEM account over Windows XP, but this shouldn't be part of this
question.). The behaviour I am describing you can reproduce it just with
WSSecurityKerberos sample, without using AzMan within the same project.

So, taking a simple look, our solution would be changing ASPNET privileges,
enabling it to "Act as part of Operating System", using its Local Policy
"Act as part of Operating System".

BUT, we have made it, rebooted the machine, but it does not work at all (we
get same exception). I have tested it in several Windows XP-SP2 machines
with no luck. So, do we need to do anything else to make it work with ASPNET
account?. (We already gave ASPNET account "Act as part of Operating System"
privilege using Local Security Setting).

Down below you can read my different environments:

Development Environment:
- Windows XP - SP2 (English US)
- Visual Studio 2005 Team Developer Edition (English US)
- WSE 3.0 (English US)
- IIS as Web server (it seems WSE does not work with cassini
(VS.2005 Web Server).)

Future Production Environment
On the other hand, as I said, WSE 3.0-Kerberos works properly with Windows
Server 2003-SP1 and IIS 6.0 Pool process (w3wp.exe) default identity
(NETWORK SERVICE).

So, to sum up:
Do I need to do anything else to make WSE 3.0 work with ASPNET account over
Windows XP - SP2? (I already gave ASPNET account "Act as part of Operating
System" privilege using Local Security Setting and re-booted my machines).

Thanks in advanced,

César de la Torre
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]
Software Architect

Renacimiento
Microsoft GOLD Certifed Partner


.

Relevant Pages

  • Re: Fix for: Server Application Unavailable Error after Applying Security Update for IE
    ... >> Internet Explorer security patch and ASP.NET V1.0 running on Windows XP. ... >> you can execute the following batch file as a workaround for the issue. ... >> Stops the IIS and ASP.NET state services>> Deletes and recreates the ASPNET account with a known temporary password ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Fix for: Server Application Unavailable Error after Applying Security Update for IE
    ... I've run the batch file, and now the login is failing for aspnet. ... > Internet Explorer security patch and ASP.NET V1.0 running on Windows XP. ... > Deletes and recreates the ASPNET account with a known temporary password ... This creates a new random password for the account ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account
    ... Having our WSE 3.0-WebService over Windows Server 2003, ... The problem is that ASP.NET default user in Windows XP (ASPNET user account) ... Web Services, so, by default, using ASPNET account, it does not work (we ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: ASPNET account and NT Authentication with SQL Server -Account Locked Out
    ... Can you set up a domain account to run ASP.NET under and use that to access ... > connection to a separate SQL server box. ... > seems that windows is passing the ASPNET account to the SQL server box. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Impersonation
    ... impersonation, unless you actually need to be userX for some file operation, ... I also wonder why folks always talk about using a seperate account DB. ... I know the diference between IIS and WSE authentication mecanism. ... >>> where I need to check password in UsernameTokenManager for that I need ...
    (microsoft.public.dotnet.framework.webservices.enhancements)