Hey Jason,
Thanks for your further feedback, sorry for haven't making things clear.
Yes, for intranet application within a windows domain (2000 or 2003)
environment, we can have clientside windows authentication's security
context to forward to server , and a more remote server(e.g backend
database....) through kerberos delegation.
Actually, due to the complexity and environment dependent requirement,
there has little complete example like some other technical tricks....
However, we have many msdn reference and technical articles introducing
such features:
For general info on ASP.NET delegation:
#ASP.NET Delegation
http://msdn.microsoft.com/library/en-us/vsent7/html/vxconaspnetdelegation.as
p?frame=true
#How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000023.asp?frame=tr
ue
When the webserver is WIN2K, there needs more configuration due to the
win2k server's particular OS security setting....
#How To Implement Kerberos Delegation for Windows 2000
http://msdn.microsoft.com/library/en-us/secmod/html/secmod19.asp?frame=true
#Understanding Kerberos Credential Delegation in Windows 2000 Using the
TktView Utility
http://msdn.microsoft.com/msdnmag/issues/0500/security/default.aspx
In addition, I remember that we can find some webcasts in the TechNet site
about configuring IIS to suit kerberos delegation scenario....
http://www.microsoft.com/windowsserver2003/iis/support/webcasts.mspx
Hope helps. Thanks,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| X-Tomcat-ID: 248895157
| References: <
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: (e-mail address removed) (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Thu, 01 Dec 2005 12:20:02 GMT
| Subject: RE: accessing WebService from asp.net App on load balanced
Servers
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| Message-ID: <
[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| Lines: 323
| Path: TK2MSFTNGXA02.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:16465
| NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
|
| Hi Jason,
|
| Have you got any further ideas on this issue? If there're anything else
we
| can help, please feel free to post here.
|
| Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure!
www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
| --------------------
| | X-Tomcat-ID: 280188595
| | References: <
[email protected]>
| <
[email protected]>
| <
[email protected]>
| <
[email protected]>
| <
[email protected]>
| | MIME-Version: 1.0
| | Content-Type: text/plain
| | Content-Transfer-Encoding: 7bit
| | From: (e-mail address removed) (Steven Cheng[MSFT])
| | Organization: Microsoft
| | Date: Tue, 29 Nov 2005 11:34:27 GMT
| | Subject: RE: accessing WebService from asp.net App on load balanced
| Servers
| | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| | Message-ID: <
[email protected]>
| | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| | Lines: 275
| | Path: TK2MSFTNGXA02.phx.gbl
| | Xref: TK2MSFTNGXA02.phx.gbl
| microsoft.public.dotnet.framework.aspnet.security:16454
| | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
| |
| | Thanks for your response Jason,
| |
| | Yes, if you're able to successfully implement the kerberos
authentication
| | configuration from the client (browser side....) to your web server
and
| | the remote webservice server (all in the same 2000 or 2003 domain or
| | trusted domain...), and all the user accounts meet the requirement, the
| | kerberos token can be forwared from webserver to remote webservice
| server...
| |
| | Thanks,
| |
| | Steven Cheng
| | Microsoft Online Support
| |
| | Get Secure!
www.microsoft.com/security
| | (This posting is provided "AS IS", with no warranties, and confers no
| | rights.)
| | --------------------
| | | Thread-Topic: accessing WebService from asp.net App on load balanced
| | Servers
| | | thread-index: AcX0iRkP/iqm3QbgRIq9MZI1zHBZxA==
| | | X-WBNR-Posting-Host: 134.134.136.2
| | | From: "=?Utf-8?B?SmFzb24=?=" <
[email protected]>
| | | References: <
[email protected]>
| | <
[email protected]>
| | <
[email protected]>
| | <
[email protected]>
| | | Subject: RE: accessing WebService from asp.net App on load balanced
| | Servers
| | | Date: Mon, 28 Nov 2005 18:03:31 -0800
| | | Lines: 210
| | | Message-ID: <
[email protected]>
| | | MIME-Version: 1.0
| | | Content-Type: text/plain;
| | | charset="Utf-8"
| | | Content-Transfer-Encoding: 7bit
| | | X-Newsreader: Microsoft CDO for Windows 2000
| | | Content-Class: urn:content-classes:message
| | | Importance: normal
| | | Priority: normal
| | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| | | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| | | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| | | Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| | | Xref: TK2MSFTNGXA02.phx.gbl
| | microsoft.public.dotnet.framework.aspnet.security:16453
| | | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| | |
| | | Would Constrained Delegation not give me a solution here? This is an
| | Intranet
| | | application and my undertstanding of constrained delegation is that
the
| | | Original user impersonation will carry through to the back end
server??
| | |
| | | "Steven Cheng[MSFT]" wrote:
| | |
| | | > Thanks for your response Jason,
| | | >
| | | > Actually, this limit is due to the windows NTLM authentication
which
| | dosn't
| | | > allow an authenticated logon session to double hop multpile
| machines.
| | So
| | | > the client implicit impersonated credential can only access asp.net
| | | > server's protected resource but not another remote machine... In
| | | > addition to kerberos delegation (which require all the computers
| | involve in
| | | > the application's process stream be configured correctly.....),
| | another
| | | > apprach is we programmatically impersonate the client user, such
| | | > programmatic imperosated session will also be remotable to other
| | machines.
| | | > However, programatically impersonate require clear text
| | | > username/password....
| | | >
| | | > #How to configure an ASP.NET application for a delegation scenario
| | | >
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
| | | >
| | | > Anyway, delegate authenticated credential multiple hops is not good
| | ideas
| | | > since whenever it skip a more hop, the possibility that the context
| be
| | | > hacked increate. Also, performance overhead is also involved.
| | | >
| | | > Thanks,
| | | >
| | | > Steven Cheng
| | | > Microsoft Online Support
| | | >
| | | > Get Secure!
www.microsoft.com/security
| | | > (This posting is provided "AS IS", with no warranties, and confers
no
| | | > rights.)
| | | >
| | | >
| | | >
| | | > --------------------
| | | > | Thread-Topic: accessing WebService from asp.net App on load
| balanced
| | | > Servers
| | | > | thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
| | | > | X-WBNR-Posting-Host: 134.134.136.1
| | | > | From: "=?Utf-8?B?SmFzb24=?=" <
[email protected]>
| | | > | References: <
[email protected]>
| | | > <
[email protected]>
| | | > | Subject: RE: accessing WebService from asp.net App on load
balanced
| | | > Servers
| | | > | Date: Sun, 27 Nov 2005 20:30:02 -0800
| | | > | Lines: 120
| | | > | Message-ID: <
[email protected]>
| | | > | MIME-Version: 1.0
| | | > | Content-Type: text/plain;
| | | > | charset="Utf-8"
| | | > | Content-Transfer-Encoding: 7bit
| | | > | X-Newsreader: Microsoft CDO for Windows 2000
| | | > | Content-Class: urn:content-classes:message
| | | > | Importance: normal
| | | > | Priority: normal
| | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| | | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| | | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| | | > | Path:
| | TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| | | > | Xref: TK2MSFTNGXA02.phx.gbl
| | | > microsoft.public.dotnet.framework.aspnet.security:16434
| | | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| | | > |
| | | > | Steven,
| | | > |
| | | > | Thanks for your response. Unfortunately landing the web service
on
| | the
| | | > same
| | | > | server as the asp.net application is not an option. Neither is
| using
| | a
| | | > | hardcoded ID as the web service recognizes the user and sets the
| | response
| | | > | appropriately. I am amazed that there is no other option. Does
the
| | 2.0
| | | > | framework change anything? I have tried to create an assembly
using
| | | > | EnterpriseServices to handle the impersonation also but it still
| will
| | not
| | | > | send the users credentials.. Can you confirm with your colleages
if
| | this
| | | > is
| | | > | possible with the current framework? or not? This problem seems
to
| | remove
| | | > the
| | | > | benefit of using a Web Service for the back end data provider...
| | | > |
| | | > | Thanks
| | | > | Jason
| | | > |
| | | > |
| | | > | "Steven Cheng[MSFT]" wrote:
| | | > |
| | | > | > Hi Jason,
| | | > | >
| | | > | > Welcome to asp.net newsgroup.
| | | > | > From your description,you're accessing an ASP.NET webservice
from
| | an
| | | > | > asp.net webapplication, the the web application
| | | > | > turn on impesonate so as to use the client user's credential
to
| | access
| | | > the
| | | > | > webservice(authenticated protected...)
| | | > | > However, he found that this worked only when the webservice is
on
| | the
| | | > same
| | | > | > machine with the web applicaiton...
| | | > | > Elsewise, you'll get 401 error, yes?
| | | > | >
| | | > | > Based on my experience, this problem is caused by the
limitation
| of
| | | > normal
| | | > | > windows NTLM authentication's generated logon session. By
default
| | the
| | | > | > asp.net implicit impersonated client logon session are network
| | logon
| | | > | > sessions, they have not network credentials. So it is ok for
| | accessing
| | | > | > protected resources on the same box (with the asp.net web
| | | > application...),
| | | > | > however, when try accessing some remote protected resources...
| | we'll
| | | > get
| | | > | > access error since no security credential is sent (network
logon
| on
| | | > session
| | | > | > can not be forwarded to remote machine...). This is a typical
| | double
| | | > hop
| | | > | > limit...
| | | > | >
| | | > | > So as for your scenario, the most recommended and simplest
means
| is
| | to
| | | > use
| | | > | > a fixed privileged account to access the remote webservice in
| your
| | | > asp.net
| | | > | > web application (avoid using the implict impersonated client
| user's
| | | > | > credential....). Or you can consider still maintain the
| webservice
| | on
| | | > the
| | | > | > same server with the asp.net web app....
| | | > | > And for the Kerberos you mentioned, yes, it is possible to
| | configure
| | | > | > kerberos delegation between client and our asp.net
webapplication
| | so as
| | | > to
| | | > | > establish kerberos ticket which can be forwarded to multiple
| remote
| | | > | > machine(mulitple hops...), but using kerberos delegation may
| | require
| | | > | > complex configuration on both client side (browser ) and
| serverside
| |
| | | > | > (including asp.net web app's server and webservice's server ,
| also
| | the
| | | > | > win2k or win2003 domain.....), so we do not recommend using
this
| | | > approach
| | | > | > ......
| | | > | >
| | | > | > Thanks,
| | | > | >
| | | > | > Steven Cheng
| | | > | > Microsoft Online Support
| | | > | >
| | | > | > Get Secure!
www.microsoft.com/security
| | | > | > (This posting is provided "AS IS", with no warranties, and
| confers
| | no
| | | > | > rights.)
| | | > | >
| | | > | > --------------------
| | | > | > | Thread-Topic: accessing WebService from asp.net App on load
| | balanced
| | | > | > Servers
| | | > | > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
| | | > | > | X-WBNR-Posting-Host: 134.134.136.1
| | | > | > | From: "=?Utf-8?B?SmFzb24=?=" <
[email protected]>
| | | > | > | Subject: accessing WebService from asp.net App on load
balanced
| | | > Servers
| | | > | > | Date: Sun, 27 Nov 2005 00:38:01 -0800
| | | > | > | Lines: 19
| | | > | > | Message-ID:
<
[email protected]>
| | | > | > | MIME-Version: 1.0
| | | > | > | Content-Type: text/plain;
| | | > | > | charset="Utf-8"
| | | > | > | Content-Transfer-Encoding: 7bit
| | | > | > | X-Newsreader: Microsoft CDO for Windows 2000
| | | > | > | Content-Class: urn:content-classes:message
| | | > | > | Importance: normal
| | | > | > | Priority: normal
| | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| | | > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| | | > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| | | > | > | Path:
| | TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| | | > | > | Xref: TK2MSFTNGXA02.phx.gbl
| | | > | > microsoft.public.dotnet.framework.aspnet.security:16428
| | | > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| | | > | > |
| | | > | > | Hi,
| | | > | > |
| | | > | > | I have an ASP.Net application that retrieves Data from a Web
| | Service.
| | | > | > When
| | | > | > | the Web service resides on the same server I have no problem
| and
| | the
| | | > | > asp.net
| | | > | > | page functions as expected. I am using impersonation and the
| | | > credentials
| | | > | > are
| | | > | > | being passed to the web service as expected.
| | | > | > |
| | | > | > | Now, when the web service resides on a different server the
| | | > credentials
| | | > | > are
| | | > | > | not passed to the webservice and the asp application receives
a
| | 401
| | | > | > Error. I
| | | > | > | have seen emails about using kerberos but have not been
| | successful in
| | | > | > getting
| | | > | > | it to work. Could this be because I am using Load balanced
| | servers?
| | | > | > (Using
| | | > | > | Application Server) I thought this worked when using Windows
| 2000
| | | > Server
| | | > | > but
| | | > | > | I am now using Windows 2003 Server. Can you tell me What
| specific
| | | > steps I
| | | > | > | need to take for my asp.net application to function and
| retrieve
| | | > content
| | | > | > from
| | | > | > | a web service passing the credentials of the original user
| using
| | the
| | | > | > asp.net
| | | > | > | application??
| | | > | > | Thanks
| | | > | > | Jason
| | | > | > |
| | | > | > |
| | | > | >
| | | > | >
| | | > |
| | | >
| | | >
| | |
| |
| |
|
|
