Hi,

At this moment I'm involved in a softwaredevelopment project and we are
experiencing a difficult problems. I really hope that anyone can help
us to solve it, since we are working on a deadline and this keeps us
from releasing our product, which is crucial for our organization.

I'll explain our situation:

Our solution exists of three parts:
1. We have a Windows Forms application, which is the client.
2. There is our Processing Webservice, which uses WebService
Enhancements 2 SP3 (WSE) and SSL.
3. Finally we have our Authentication webservice, which is a completely
different website, running on the same webserver, this also uses SSL
but no WebService Enhancements.

HOW IT SHOULD WORK:
This client app (1) has to exchange information with the Processing
webservice (2). The client will send an X509 client certificate to the
webservice to authenticate itself. The request passes through a WSE
Token Manager class, which retrieves the client certificate from the
request. The token manager will then initiate a connection to the
authentication webservice (3) and passes the X509 client certificate to
that webservice.

The authentication webservice does not use a token manager but just
gets the client certificate from the connection and returns the list of
roles for the user owning this certificate. The Processing webservice
(2) uses the set of roles to create a principle for the client app.
When that's done properly, the actual webmethod will be invoked on the
Processing webservice.

DESCRIPTION OF OUR PROBLEM:
The communication between the Processing webservice and the
authentication webservice does not work properly. The authentication
webservice can be called directly from Internet Explorer but if we call
it from our WSE Token Manager, it we get a timeout or a 403 Access
Denied message. Since this is a crucial part of the solution, we need a
real solution as fast as possible!

OUR CONFIGURATION:
All software is currently installed on a Windows XP computer, in
production this will all be hosted on a Windows 2003 server. We are
using IIS5, .NET Framework v1.1 and WSE is installed. Each webservice
is installed as a new Application within IIS, they all use Forms
authentication and they all have Directory Security set to Anonymous
and Windows Integrated Security is disabled for them. Each webservice
had Require Certificates checked.  All Web applications are working
under the standard anonymous user account IUSR...  with no special
permissions.
A valid SSL Certificate is installed and SSL works fine with a browser,
which asks the user to select a certificate and then properly shows the
list of webmethods.
On disk, the IUSR account was granted Full Control permission on the
files of both sites.

OUR ANALYSIS UPTO NOW:
The client calls the Processing webservice and we think it will be
authenticated as IUSR since the Processing webservice runs under the
IUSR account. So if the token manager calls out to the authentication
webservice, it should do so under that identity. The token manager can
properly extract a client certificate object from the SOAP context (of
the request if we pass it in the ClientCertificates collection).

The webservice calls the authentication webservice using an url that
starts with https and it adds the retrieved client certificate to the
webservice proxy, before making the call. When the authentication
webservice is called, the webmethod is never reached (we see no logging
messages).

What really happens when the client calls the Processing webservice, is
that we see a "Audit Failed" message in the Event Log, telling us that
IUSR account cannot login since it does have permission for login type
3. It indicates that this message comes from the iis proces. Type 3
seems to be the right to "Log on Locally" for as far as I can find. Can
anyone tell me what this exactly means?

It looks like the IUSR account can not make a proper call to another
webservice since if we have the Processing webservice run under a local
administrators account, it can make that call. In that case, the
Authentication webservice will be called and no Audit Failure is
reported. This also happens when using Impersonation (which is as
expected since the active user is local admin). It looks like some
impersonation as IUSR happens under the hood.

Although we can call the authentication webservice (when impersonated),
it does not work yet since it seems that IIS rejects the webmethod call
with a 403 error or a timeout. We expect that IIS does that because we
still see no logging.

SUMMARY:
In short, we determine two problems:
- calling the Processing webservice fails if it runs under the IUSR
account
- If we use another account, the token manager still fails to call the
authentication webservice.

I really hope that anyone will take the time to think with me what I'm
missing since at this point, I have no clue on how to solve this.

Thanks very much in advance for any suggestions!

Sincerely,

Jeroen Bijleveld
The Netherlands