Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / March 2008

Tip: Looking for answers? Try searching our database.

ServiceClassName for defining WebService SPN

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Ralf Steinstraesser - 12 Mar 2008 17:02 GMT
Hi,

I am having difficulties defining a Service Principal Name (SPN) for a
selfwritten .NET webservice. Assuming that all AD delegation settings are
valid, I am quite clueless on what should be the ServiceClassName for
registering the SPN for the webservice?

Is this the service name tag in the services section, or rather the contract
of the endpoint tag in the config file of the webservice...

Any help appreciated here.

Signature

Dipl.-Ing. Ralf Steinstraesser
Software Architekt
Bissantz & Company GmbH

Reply to this Message
Joe Kaplan - 12 Mar 2008 17:31 GMT
It should be HTTP/.

Basically, the plumbing code in System.Net that implements Kerberos
authentication for all different types of web request traffic
(HttpWebRequest, etc.) will build an SPN for the target using the HTTP
service class name, so that's what you should set on your service accounts
in AD.  Also note that System.Net will do a DNS lookup on the name you use
for the service name and will build the SPN based on the host (A) record in
DNS for that name.  Be careful if you use DNS aliases as you may get
unexpected behavior.

Also remember that the HOST service class is a "wild card" for a variety of
other different services including HTTP, so if the client specifies an SPN
of HTTP/hostname, that will match to HTTP/hostname but also to HOST/hostname
if the HTTP SPN does not exist explicitly.  HOST/hostname SPNs are created
in AD on machine accounts by default when they are joined to the domain
based on the NetBIOS and DNS name of the machine.

Joe K.
Signature

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

> Hi,
>
[quoted text clipped - 8 lines]
>
> Any help appreciated here.
Reply to this Message
Ralf Steinstraesser - 13 Mar 2008 21:53 GMT
Thanks for your answer, Joe!

Still I am wondering what other plumbing I have to do, to delegate the User
credentials to the next hop. Lets say the client was able to authenticate
with the webservice over the first hop using Kerberos. What is required by
the webservice to further delegate the user credentials over to the next
server? I posted another thread, which deals with Impersonation and
connection string settings for the 2nd hop for connecting to a database here
->

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.
public.webservices&mid=dd20c528-bd12-4da2-87fd-d77ca30cecb6&sloc=en-us

Thanks for any input on that.

I looked at your book, which is online also and think about getting a
printed copy. I must admit, that the advanced security issues are fairly new
to me. But!, I guess that's one of the BIG topics which I will have to deal
with. Facing more and more growing enterprisewide application usage.
Signature

Dipl.-Ing. Ralf Steinstraesser
Software Architekt
Bissantz & Company GmbH

> It should be HTTP/.
>
[quoted text clipped - 27 lines]
> >
> > Any help appreciated here.
Reply to this Message
Joe Kaplan - 13 Mar 2008 22:32 GMT
Basically, the service process running the web service also needs
permissions to delegate and you need Kerberos auth to the next service as
well (SQL in this case).  Make sure the proper SQL SPNs are registered on
the correct service account in AD.  SQL SPNs can be tricky as they usually
require the port component.

You do need to impersonate the authenticated user when making the call to
SQL.  I'm not totally sure what the connection string needs to look like for
the SQL connection but I think you have it.

As long as all the service process identities in the chain have permission
to delegate and you have a full kerb auth chain, you should be able to
continue delegating across many hops if you want.  It definitely isn't
limited to just two.

Joe K.

Signature

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

> Thanks for your answer, Joe!
>
[quoted text clipped - 58 lines]
>> >
>> > Any help appreciated here.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.