Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / December 2005

Tip: Looking for answers? Try searching our database.

UserName and Kerberos tokens at the same time

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Henrik Skak Pedersen - 24 Nov 2005 15:52 GMT
Hi,

I would like to authorize the user using a Kerberos, a UserName or at custom
token depending on what I receive from the user.

Is that possible?

Thanks

Henrik
Reply to this Message
Henrik Skak Pedersen - 24 Nov 2005 16:29 GMT
Extra comment:

It should also be a policy.

> Hi,
>
[quoted text clipped - 6 lines]
>
> Henrik
Reply to this Message
Steven Cheng[MSFT] - 25 Nov 2005 06:37 GMT
Hi Henrik,

As for attaching different kind of Security Tokens in client request and
let the serverside policy access and peform authenticate on all of them (or
some of them...), that's certainly possible. However, currently the buildin
WSE 3.0  PolicyAssertions  (UsernameOverTransport,  KerberosSecuirty... .)
only target a single type of security token.  So if you need to have your
service utilize a policy which will authenticate multiple client security
tokens (of different types), we should create our own PolicyAssertion
classes.  For creating WSE 3.0 custom Policy Assertion, you can refer to
the

"Custom Policy Assertions "

section in the WSE 3.0 Document. And the QuickStart samples also including
Custom Policy example. Also, the important things is that we need to deinfe
the proper InputFilters and OutputFilters for our custom PolicyAssertion.
And for secuirty Policy Assertion, we should make our inputFilter and
outpuFilter derived from   "ReceiveSecurityFilter" and "SendSecurityFilter"
class.

After we define the custom PolicyAssertion, we can use it programmatically
in code or define in Policy file statically.

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
From: "Henrik Skak Pedersen" <skak@community.nospam>
References: <uDOvP8Q8FHA.620@TK2MSFTNGP10.phx.gbl>
Subject: Re: UserName and Kerberos tokens at the same time
Date: Thu, 24 Nov 2005 17:29:10 +0100
Lines: 19
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Response
Message-ID: <eHap0QR8FHA.1000@tk2msftngp13.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:7731
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Extra comment:

It should also be a policy.

"Henrik Skak Pedersen" <skak@community.nospam> wrote in message
news:uDOvP8Q8FHA.620@TK2MSFTNGP10.phx.gbl...
> Hi,
>
[quoted text clipped - 6 lines]
>
> Henrik
Reply to this Message
Henrik Skak Pedersen - 28 Nov 2005 20:10 GMT
Hi Steven,

Again thank you very much for your reply. I tried to implement the
PolicyChoiceAssertion from the example but now I get an exception when I run
with the KerberosAssertion. The code throws the exception when I call
HelloWorld in the example below. The PolicyChoiceAssertion is the same as
the one from the example.

Exception:
{"WSE2005: Protection requirements in KerberosAssertion are not satisfied."}

It works fine when I run with the UserNameAssertion. My policy looks like
this:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">

<extensions>

<extension name="usernameOverTransportSecurity"
type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />

<extension name="kerberosSecurity"
type="Microsoft.Web.Services3.Design.KerberosAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />

<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />

<extension name="policyChoice"
type="MindKey.License.Assertion.PolicyChoiceAssertion, Service Assertion
Library"/>

</extensions>

<policy name="ServicePolicy">

<policyChoice>

<usernameOverTransportSecurity />

<kerberosSecurity establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">

<protection>

<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />

</protection>

</kerberosSecurity>

</policyChoice>

<requireActionHeader />

</policy>

</policies>

and the code calling using the KerberosAssertion looke like this:
TestWS testWS = new TestWS();

KerberosAssertion assertion = new KerberosAssertion();

assertion.KerberosTokenProvider = new KerberosTokenProvider("host/" +
System.Net.Dns.GetHostName(), ImpersonationLevel.Identification);

Policy policy = new Policy();

policy.Assertions.Add(assertion);

testWS.SetPolicy(policy);

MessageBox.Show(testWS.HelloWorld());

I hope you can helpe me!

Thanks Henrik.

> Hi Henrik,
>
[quoted text clipped - 68 lines]
>>
>> Henrik
Reply to this Message
Steven Cheng[MSFT] - 29 Nov 2005 11:43 GMT
Hi Henrik,

From the error message, request message's security header dosn't meet the
server policy assertion's requirement. Also this occurs when you using the
Kerberos token at clientside, but works well when you using UsernameToken,
yes?  Have you ever tried only using Kerberos token from clientside
(without using choiceAssertion) to see whether you can get kerberos token
work correctly?

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
From: "Henrik Skak Pedersen" <skak@community.nospam>
References: <uDOvP8Q8FHA.620@TK2MSFTNGP10.phx.gbl>
<eHap0QR8FHA.1000@tk2msftngp13.phx.gbl>
<dau3PrY8FHA.3764@TK2MSFTNGXA02.phx.gbl>
Subject: Re: UserName and Kerberos tokens at the same time
Date: Mon, 28 Nov 2005 21:10:22 +0100
Lines: 176
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <OS79EfF9FHA.1484@tk2msftngp13.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:7756
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Hi Steven,

Again thank you very much for your reply. I tried to implement the
PolicyChoiceAssertion from the example but now I get an exception when I
run
with the KerberosAssertion. The code throws the exception when I call
HelloWorld in the example below. The PolicyChoiceAssertion is the same as
the one from the example.

Exception:
{"WSE2005: Protection requirements in KerberosAssertion are not satisfied."}

It works fine when I run with the UserNameAssertion. My policy looks like
this:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">

<extensions>

<extension name="usernameOverTransportSecurity"
type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />

<extension name="kerberosSecurity"
type="Microsoft.Web.Services3.Design.KerberosAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />

<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />

<extension name="policyChoice"
type="MindKey.License.Assertion.PolicyChoiceAssertion, Service Assertion
Library"/>

</extensions>

<policy name="ServicePolicy">

<policyChoice>

<usernameOverTransportSecurity />

<kerberosSecurity establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">

<protection>

<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />

</protection>

</kerberosSecurity>

</policyChoice>

<requireActionHeader />

</policy>

</policies>

and the code calling using the KerberosAssertion looke like this:
TestWS testWS = new TestWS();

KerberosAssertion assertion = new KerberosAssertion();

assertion.KerberosTokenProvider = new KerberosTokenProvider("host/" +
System.Net.Dns.GetHostName(), ImpersonationLevel.Identification);

Policy policy = new Policy();

policy.Assertions.Add(assertion);

testWS.SetPolicy(policy);

MessageBox.Show(testWS.HelloWorld());

I hope you can helpe me!

Thanks Henrik.

> Hi Henrik,
>
[quoted text clipped - 66 lines]
>>
>> Henrik
Reply to this Message
Henrik Skak Pedersen - 29 Nov 2005 19:57 GMT
Hi Steven,

Thank you for your reply.

Yes I works well with the UsernameToken.

I get the same exception without the choiceAssertion. I have changed the
policy to this:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">

<extensions>

<extension name="kerberosSecurity"
type="Microsoft.Web.Services3.Design.KerberosAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />

<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />

</extensions>

<policy name="ServicePolicy">

<kerberosSecurity establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">

<protection>

<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />

</protection>

</kerberosSecurity>

<requireActionHeader />

</policy>

</policies>

Do I need some signing or encryption? I guess that I don't need it because I
am running over SSL, but maybe the KerberosAssertion requires it?

Regards

Henrik.

> Hi Henrik,
>
[quoted text clipped - 203 lines]
>>>
>>> Henrik
Reply to this Message
Steven Cheng[MSFT] - 01 Dec 2005 13:27 GMT
Thanks for your followup Henrik,

Then, it seems that the kerberos Token is not quite attached correctly at
clientside... Have you ensure that the environment is qualified of using
kerberos authentication, are you in a certain domain environment with a
KDC(or DC....) ?

Regards,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
From: "Henrik Skak Pedersen" <skak@community.nospam>
References: <uDOvP8Q8FHA.620@TK2MSFTNGP10.phx.gbl>
<eHap0QR8FHA.1000@tk2msftngp13.phx.gbl>
<dau3PrY8FHA.3764@TK2MSFTNGXA02.phx.gbl>
<OS79EfF9FHA.1484@tk2msftngp13.phx.gbl>
<7SHqboN9FHA.4000@TK2MSFTNGXA02.phx.gbl>
Subject: Re: UserName and Kerberos tokens at the same time
Date: Tue, 29 Nov 2005 20:57:13 +0100
Lines: 285
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <eG42Y8R9FHA.3416@TK2MSFTNGP15.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:7770
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Hi Steven,

Thank you for your reply.

Yes I works well with the UsernameToken.

I get the same exception without the choiceAssertion. I have changed the
policy to this:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">

<extensions>

<extension name="kerberosSecurity"
type="Microsoft.Web.Services3.Design.KerberosAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />

<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />

</extensions>

<policy name="ServicePolicy">

<kerberosSecurity establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">

<protection>

<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />

<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />

</protection>

</kerberosSecurity>

<requireActionHeader />

</policy>

</policies>

Do I need some signing or encryption? I guess that I don't need it because
I
am running over SSL, but maybe the KerberosAssertion requires it?

Regards

Henrik.

> Hi Henrik,
>
[quoted text clipped - 207 lines]
>>>
>>> Henrik
Reply to this Message
Henrik Skak Pedersen - 01 Dec 2005 20:22 GMT
Hi again Steven,

Again, thank you very much for looking into this problem for me.

I just tried to run my test project on a colleagues machine and he gets the
same error. I guess that there is nothing special in our environment, we
have a normal DC. I used to run kerberos authentication in wse for .NET 1.1
and there it worked fine.

I have tried to run the two Quickstart examples:
WSSecurityKerberosPolicyService and WSSecurityKerberosCodeService and there
I get the following exception (inner exception of a soap exception)

"Security requirements are not satisfied because the security header is not
present in the incoming message.".

But when I run my test project which is using a custom policy I get the
following exception:

WSE2005: Protection requirements in KerberosAssertion are not satisfied

I guess that it basicly is the same problem I am having the the two
solutions.

I can see that the Kerberos is beeing generated and assigned to the proxy.

I am BTW running the web service on the build in ASP . NET Development
Server if that has anything to do with the problem? Has it something to do
with impersonation?

Any ideas??

Thanks Henrik.

> Thanks for your followup Henrik,
>
[quoted text clipped - 311 lines]
>>>>
>>>> Henrik
Reply to this Message
Henrik Skak Pedersen - 02 Dec 2005 12:25 GMT
Extra info:

If I run the example Kerberos solution I get some a detailed error message:

Microsoft.Web.Services3.Security.SecurityFault: An invalid security token
was provided ---> System.Security.SecurityException: WSE594:
AcceptSecurityContext call failed with the following error message: Logon
failure: unknown user name or bad password. . at
Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosServerContext.AcceptContext(Byte[]
inToken) at

Does that help you in any way?

> Hi again Steven,
>
[quoted text clipped - 352 lines]
>>>>>
>>>>> Henrik
Reply to this Message
Steven Cheng[MSFT] - 02 Dec 2005 13:11 GMT
Thanks for your respone and further info.

I think the problem is likely due to the ASP.NET environment. Is your
client application(which call the webservice) is also an asp.net
application?  The kerberos Security token will try establish the security
token through the current exection context's security credential which must
be a domain user account that can be authenticated by KDC(normally just the
DC). So for ASP.NET the process identity is probably not a proper account.  
I would suggest you tried the code in a winform client or console
application, the console app since in console or winform app, the current
security context is the logon user session(which is likely a domain user
... ) ...

Also, you can also check the following notes in wse documentation( if your
webservice is on a machine other than win 2003 server):
====================
Kerberos tokens work on computers with Windows Server 2003 or Windows XP
with Service Pack 1 installed. When Windows XP is used, the account ASP.NET
runs under is ASPNET by default and must be granted the Act as part of the
operating system privilege. By default, the ASPNET account does not have
this privilege. It is suggested that you run your Kerberos-secured Web
services on Windows Server 2003. On Windows Server 2003, the Act as part of
the operating system privilege is not required. On Windows XP you can
configure the ASPNET account to have the Act as part of the operating
system privilege using the Local Security Policy management application,
but you should be aware that this affects all ASP.NET applications and
results in less security for ASP.NET applications. Windows 2000 is not a
supported operating system for this feature.

===================

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
From: "Henrik Skak Pedersen" <skak@community.nospam>
References: <uDOvP8Q8FHA.620@TK2MSFTNGP10.phx.gbl>
<eHap0QR8FHA.1000@tk2msftngp13.phx.gbl>
<dau3PrY8FHA.3764@TK2MSFTNGXA02.phx.gbl>
<OS79EfF9FHA.1484@tk2msftngp13.phx.gbl>
<7SHqboN9FHA.4000@TK2MSFTNGXA02.phx.gbl>
<eG42Y8R9FHA.3416@TK2MSFTNGP15.phx.gbl>
<t5c47rn9FHA.4028@TK2MSFTNGXA02.phx.gbl>
<Osge9Tr9FHA.4036@TK2MSFTNGP11.phx.gbl>
Subject: Re: UserName and Kerberos tokens at the same time
Date: Fri, 2 Dec 2005 13:25:57 +0100
Lines: 394
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Response
Message-ID: <#WX2Nuz9FHA.2708@TK2MSFTNGP12.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:7813
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Extra info:

If I run the example Kerberos solution I get some a detailed error message:

Microsoft.Web.Services3.Security.SecurityFault: An invalid security token
was provided ---> System.Security.SecurityException: WSE594:
AcceptSecurityContext call failed with the following error message: Logon
failure: unknown user name or bad password. . at
Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosServerContext.Accep
tContext(Byte[]
inToken) at

Does that help you in any way?

"Henrik Skak Pedersen" <skak@community.nospam> wrote in message
news:Osge9Tr9FHA.4036@TK2MSFTNGP11.phx.gbl...
> Hi again Steven,
>
[quoted text clipped - 350 lines]
>>>>>
>>>>> Henrik
Reply to this Message
Henrik Skak Pedersen - 02 Dec 2005 15:05 GMT
Hi Steven,

Thanks again.

I think that you are right because I would expect the standard examples to
work. I have tried it on a Windows 2003 server as well and there I get the
same error.

My client is a Windows application and I can se that the kerberos token is
ok, so it is something on the server side. Maybe the IIS is validation
agaings a wrong source or something like that.

Do I have to do something special on the server side (IIS, Win3K) ?

Thanks Henrik.

> Thanks for your respone and further info.
>
[quoted text clipped - 446 lines]
>>>>>>
>>>>>> Henrik
Reply to this Message
Steven Cheng[MSFT] - 05 Dec 2005 12:30 GMT
Thanks for your response Henrik,

What makes me feeling a bit strange is that the WSE 3.0 Kerberos demo also
not work on your side?  The build-in example program will pass the
clientside current logon user's security credential (as kerberos token) to
serverside... Are you logon the computer as a domain user when running the
client application?  

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
From: "Henrik Skak Pedersen" <skak@community.nospam>
References: <uDOvP8Q8FHA.620@TK2MSFTNGP10.phx.gbl>
<eHap0QR8FHA.1000@tk2msftngp13.phx.gbl>
<dau3PrY8FHA.3764@TK2MSFTNGXA02.phx.gbl>
<OS79EfF9FHA.1484@tk2msftngp13.phx.gbl>
<7SHqboN9FHA.4000@TK2MSFTNGXA02.phx.gbl>
<eG42Y8R9FHA.3416@TK2MSFTNGP15.phx.gbl>
<t5c47rn9FHA.4028@TK2MSFTNGXA02.phx.gbl>
<Osge9Tr9FHA.4036@TK2MSFTNGP11.phx.gbl>
<#WX2Nuz9FHA.2708@TK2MSFTNGP12.phx.gbl>
<dGWW$H09FHA.1236@TK2MSFTNGXA02.phx.gbl>
Subject: Re: UserName and Kerberos tokens at the same time
Date: Fri, 2 Dec 2005 16:05:00 +0100
Lines: 499
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <OFxSGH19FHA.3312@TK2MSFTNGP10.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:7818
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Hi Steven,

Thanks again.

I think that you are right because I would expect the standard examples to
work. I have tried it on a Windows 2003 server as well and there I get the
same error.

My client is a Windows application and I can se that the kerberos token is
ok, so it is something on the server side. Maybe the IIS is validation
agaings a wrong source or something like that.

Do I have to do something special on the server side (IIS, Win3K) ?

Thanks Henrik.

> Thanks for your respone and further info.
>
[quoted text clipped - 75 lines]
> AcceptSecurityContext call failed with the following error message: Logon
> failure: unknown user name or bad password. . at

Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosServerContext.Accep
> tContext(Byte[]
> inToken) at
[quoted text clipped - 366 lines]
>>>>>>
>>>>>> Henrik
Reply to this Message
Henrik Skak Pedersen - 06 Dec 2005 20:36 GMT
Yes the demo application is not working at my side as well and I am logged
in as a domain user. I have no problems accessing other network resources.
Actually another strange thing is that the usernametoken example is working
with no problems, I can verify against AD on the server side.

Thanks Henrik

> Thanks for your response Henrik,
>
[quoted text clipped - 519 lines]
>>>>>>>
>>>>>>> Henrik
Reply to this Message
Steven Cheng[MSFT] - 08 Dec 2005 06:38 GMT
Hi Nenrik,

So far I can't find any other effective means to throubleshoot the problem.
Would you try the sample kerberos application on another machine (server
and client on the same machine) and in a proper domain environment and test
again? Anyway, I think we need to make the example work first ...

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
From: "Henrik Skak Pedersen" <skak@community.nospam>
References: <uDOvP8Q8FHA.620@TK2MSFTNGP10.phx.gbl>
<eHap0QR8FHA.1000@tk2msftngp13.phx.gbl>
<dau3PrY8FHA.3764@TK2MSFTNGXA02.phx.gbl>
<OS79EfF9FHA.1484@tk2msftngp13.phx.gbl>
<7SHqboN9FHA.4000@TK2MSFTNGXA02.phx.gbl>
<eG42Y8R9FHA.3416@TK2MSFTNGP15.phx.gbl>
<t5c47rn9FHA.4028@TK2MSFTNGXA02.phx.gbl>
<Osge9Tr9FHA.4036@TK2MSFTNGP11.phx.gbl>
<#WX2Nuz9FHA.2708@TK2MSFTNGP12.phx.gbl>
<dGWW$H09FHA.1236@TK2MSFTNGXA02.phx.gbl>
<OFxSGH19FHA.3312@TK2MSFTNGP10.phx.gbl>
<F9K7keZ#FHA.1236@TK2MSFTNGXA02.phx.gbl>
Subject: Re: UserName and Kerberos tokens at the same time
Date: Tue, 6 Dec 2005 21:36:05 +0100
Lines: 568
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u0JfvSq#FHA.2520@TK2MSFTNGP15.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:7866
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Yes the demo application is not working at my side as well and I am logged
in as a domain user. I have no problems accessing other network resources.
Actually another strange thing is that the usernametoken example is working
with no problems, I can verify against AD on the server side.

Thanks Henrik

> Thanks for your response Henrik,
>
[quoted text clipped - 141 lines]
>> AcceptSecurityContext call failed with the following error message: Logon
>> failure: unknown user name or bad password. . at

Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosServerContext.Accep
>> tContext(Byte[]
>> inToken) at
[quoted text clipped - 374 lines]
>>>>>>>
>>>>>>> Henrik
Reply to this Message
CESAR DE LA TORRE [MVP] - 21 Dec 2005 17:58 GMT
The only way I found to make WSSecurityKerberosPolicyService and
WSSecurityKerberosCodeService samples work is changing IIS worker process
identity to run as SYSTEM account. You need to change it at machine.config
like the following:
<processModel enable="true" userName="SYSTEM" password="AutoGenerate"/>
That way, it works properly.

It should also work with any other account like ASPNET and granting "Act as
part of Operating System" privilege to that account, but I cannot make it
work unless using SYSTEM account... :-(
Signature

CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]  

> Hi Nenrik,
>
[quoted text clipped - 288 lines]
> >>>>
> >>>> Thank you for your reply.
Reply to this Message
jubin200 - 30 Nov 2005 07:14 GMT
Hi Henrik,

I am trying to achieve the same thing.
Can you please share your solution files with me. I can try to continu
and let you know if I can solve the Kerberos issue. My email id i
jubin200@yahoo.com ( jubin200 at yahoo.com)

Thanks
Jubi

--
jubin20
Reply to this Message
Henrik Skak Pedersen - 01 Dec 2005 20:24 GMT
Hi Jubin,

I am actually just using a deviation of the CustomSecurityPolicyClient
example. I guess that it should be working fine, if you don't have the same
kerberos probelms as I am having.

Regards
Henrik.

> Hi Henrik,
>
[quoted text clipped - 5 lines]
> Thanks
> Jubin
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.