Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / January 2006

Tip: Looking for answers? Try searching our database.

WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
CESAR DE LA TORRE [MVP] - 21 Dec 2005 17:39 GMT
I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos
authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005
client) to Server Tier through our Web Services (based on WSE 3.0).

Having our WSE 3.0-WebService over Windows Server 2003, everything works
great, but, over Windows XP, I have a problem (which is documented in WSE
3.0 help) but its workaround does not work properly (at least with my
current testing).

The problem is that ASP.NET default user in Windows XP (ASPNET user account)
does not have privileges enough for running Kerberos authentication over WSE
3.0 Web Services, so, by default, using ASPNET account, it does not work (we
get WSE910 exception).

There is a MSFT sample where you can test it (WSSecurityKerberos) provided
with WSE 3.0 Setup.

Also, WSE samples Help documentation says the same, and gives a workaround:
=====================================================================================================================================================================
Running the Kerberos Sample - WSSecurityKerberos
On Microsoft® Windows® XP and Microsoft® Windows® 2000 Server, the Kerberos
Security sample (WSSecurityKerberos) requires additional higher privilege
settings for the ASPNET account. There are several ways to enable this. One
is to give ASPNET account "Act as part of Operating System" privilege using
Local Security Setting, and then reboot the system. Another alternative is
to modify machine.config by setting the username attribute equal to "system"
in the ProcessModel element, and then reset IIS.

NOTE: By default the policy version of the WSSecurityKerberos does not work
and throws an exception. This is because the machine name where the service
is running needs to be updated in the wse3policyCache.config in the
WSSecurityKerberosPolicyClient project to the machine where the service is
installed.
=====================================================================================================================================================================

Using SYSTEM account as aspnet_wp.exe WinXP-IIS pool process identity
(changing machine.config) with WSE 3.0-Kerberos over Windows XP, does work
properly, BUT, the problem we have is that we DO NEED to run our XML Web
Service with any account (like ASPNET) except SYSTEM account (because we'll
need to use also AzMan / Authentication Manager and it does not work with
SYSTEM account over Windows XP, but this shouldn't be part of this
question.). The behaviour I am describing you can reproduce it just with
WSSecurityKerberos sample, without using AzMan within the same project.

So, taking a simple look, our solution would be changing ASPNET privileges,
enabling it to "Act as part of Operating System", using its Local Policy
"Act as part of Operating System".

BUT, we have made it, rebooted the machine, but it does not work at all (we
get same exception). I have tested it in several Windows XP-SP2 machines
with no luck. So, do we need to do anything else to make it work with ASPNET
account?. (We already gave ASPNET account "Act as part of Operating System"
privilege using Local Security Setting).

Down below you can read my different environments:

Development Environment:
-          Windows  XP - SP2 (English US)
-          Visual Studio 2005 Team Developer Edition (English US)
-          WSE 3.0 (English US)
-          IIS as Web server (it seems WSE does not work with cassini
(VS.2005 Web Server).)

Future Production Environment
On the other hand, as I said, WSE 3.0-Kerberos works properly with Windows
Server 2003-SP1 and IIS 6.0 Pool process (w3wp.exe) default identity
(NETWORK SERVICE).

So, to sum up:
Do I need to do anything else to make WSE 3.0 work with ASPNET account over
Windows XP - SP2? (I already gave ASPNET account "Act as part of Operating
System" privilege using Local Security Setting and re-booted my machines).

Thanks in advanced,

César de la Torre
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]
Software Architect

Renacimiento
Microsoft GOLD Certifed Partner
Reply to this Message
Pablo Cibraro - 21 Dec 2005 17:55 GMT
Hi Cesar,
You can find good documentation regarding this topic in the following link
Reply to this Message
CESAR DE LA TORRE [MVP] - 21 Dec 2005 19:45 GMT
I've tried the steps that article says, and it does not work neither...
1.- Using a Domain Account
2.- Grant "Log on as a service" and "Impersonate a client after
authentication" to that domain account
3.- Full Control to
"C:\%WINDOWS%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files"
4.- Create an arbitrary SPN for the domain account, with setspn.exe, at my DC.
5.- Re-boot of my WebService machine

BTW, it does not say anything about how can we use ASPNET account, like WSE
3.0 readme file says (Granting just "Act as part of Operating System" to
ASPNET account).
Except using SYSTEM account, all the other possibilities seem very obscure
and contradictory all around MSFT documentation even in News Groups, etc...
But my problem is, in my case, I cannot use SYSTEM account...
Down below you can read those steps taken from the article you said:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS
_Ch7_KerbTechSupp.asp
Using a Domain Account with IIS 5.x (Windows 2000 and Windows XP)
Instead of using the default account that is defined in the <ProcessModel/>
element of the Machine.config file, a service can use a domain user account
as the process identity. The domain account needs additional privileges and
if it is used for message layer security, an arbitrary SPN should be created.

To configure a domain account for the Kerberos protocol on a computer
running IIS 5.x:

Create a new user account in the domain (KDC realm) and add that account to
the user group. This account does not need additional privileges on the
domain computer. This means that you are using an account with the fewest
privileges.
On the computer running IIS 5.x, the new domain account requires the
following rights, which can be assigned with the Local Security Settings
configuration tool:
Log on as a service
Impersonate a client after authentication
Assign Full Control permissions to the new domain account for the following
folder on the IIS 5.x host:
C:\%WINDOWS%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files
Update the <ProcessModel/> element in the Machine.config file on the
computer that is running IIS 5.x. Both the user name and password need to be
updated to values associated with the new domain account. Restart IIS.
Note   The following step is required when you are using message layer
security with the Kerberos protocol. When you use standard Windows
authentication, it is not necessary to create an SPN for the account unless
the account will be used for Delegation.
Use the setspn.exe tool to create an arbitrary SPN for the domain account.
This action is performed on the Active Directory domain controller, not on
the computer that is running IIS 5.x. To perform this action, you must be an
administrator or have SetPrincipalName permissions on the domain controller.
The following example creates an arbitrary SPN named AcmeService/GlobalBank
that maps to a Windows account named WS_Account:
setspn –a AcmeService/GlobalBank WS_Account
When you create a domain account that will be used for delegation with
Windows Integrated Security, it should map to the HTTP host-based SPN. If you
use message layer security with WSE 3.0, use an arbitrary SPN as previously
described. Finally, the process model used by IIS 6.0 in Windows Server 2003
is very different from IIS 5.x. As a result, the steps previously described
will not work in Windows Server 2003.

Any other idea would be greatly apreciated. Thanks in advanced.
Signature

CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]  

> Hi Cesar,
> You can find good documentation regarding this topic in the following link

throws an exception. This is because the machine name where theservice> is running needs to be updated in the wse3policyCache.config in the> WSSecurityKerberosPolicyClient project to the machine where the service is> installed.>=====================================================================================================================================================================>> Using SYSTEM account as aspnet_wp.exe WinXP-IIS pool process identity> (changing machine.config) with WSE 3.0-Kerberos over Windows XP, does work> properly, BUT, the problem we have is that we DO NEED to run our XML Web> Service with any account (like ASPNET) except SYSTEM account (becausewe'll> need to use also AzMan / Authentication Manager and it does not work with> SYSTEM account over Windows XP, but this shouldn't be part of this> question.). The behaviour I am describing you can reproduce it just with> WSSecurityKerberos sample, without using AzMan within the same project.>> So, taking a
simple look, our solution would be changing ASPNETprivileges,> enabling it to "Act as part of Operating System", using its Local Policy> "Act as part of Operating System".>> BUT, we have made it, rebooted the machine, but it does not work at all(we> get same exception). I have tested it in several Windows XP-SP2 machines> with no luck. So, do we need to do anything else to make it work withASPNET> account?. (We already gave ASPNET account "Act as part of OperatingSystem"> privilege using Local Security Setting).>> Down below you can read my different environments:>> Development Environment:> -          Windows  XP - SP2 (English US)> -          Visual Studio 2005 Team Developer Edition (English US)> -          WSE 3.0 (English US)> -          IIS as Web server (it seems WSE does not work with cassini> (VS.2005 Web Server).)>> Future Production Environment> On the other hand, as I said, WSE 3.0-Kerberos works properly with Windows> Server 2003-SP1 and IIS 6.0 Pool process (w3wp.exe)
default identity> (NETWORK SERVICE).>> So, to sum up:> Do I need to do anything else to make WSE 3.0 work with ASPNET accountover> Windows XP - SP2? (I already gave ASPNET account "Act as part of Operating> System" privilege using Local Security Setting and re-booted my machines).>> Thanks in advanced,>> César de la Torre> [Microsoft MVP - XML Web Services]> [MCSE] [MCT]> Software Architect>> Renacimiento> Microsoft GOLD Certifed Partner
Reply to this Message
CESAR DE LA TORRE [MVP] - 12 Jan 2006 09:22 GMT
Finally (before xmas holidays) I made it work with a Domain Account with a
Custom Principal Name using SetSPN.exe utility. I reported this issue (does
not work WSE 3.0 + XP-SP2 with ASPNET account) to Microsoft-PSS in December
2005 and currently they have no reached any solution about it (how to make it
work with ASPNET account). May be WSE 3.0 documentation is wrong. Currently,
they passed this issue to WSE 3.0 product group.

BTW, with Windows Server 2003 everything works great by default (using
Network Services account for IIS process pool).

So, to sum up, yes, currently, over Windows XP-SP2, WSE 3.0-Kerberos does
not work with ASPNET account. The only way is using a Domain account with a
custom pricipal name (using Setspn.exe utility in a DC).

Signature

CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]  

> I've tried the steps that article says, and it does not work neither...
> 1.- Using a Domain Account
[quoted text clipped - 65 lines]
> simple look, our solution would be changing ASPNETprivileges,> enabling it to "Act as part of Operating System", using its Local Policy> "Act as part of Operating System".>> BUT, we have made it, rebooted the machine, but it does not work at all(we> get same exception). I have tested it in several Windows XP-SP2 machines> with no luck. So, do we need to do anything else to make it work withASPNET> account?. (We already gave ASPNET account "Act as part of OperatingSystem"> privilege using Local Security Setting).>> Down below you can read my different environments:>> Development Environment:> -          Windows  XP - SP2 (English US)> -          Visual Studio 2005 Team Developer Edition (English US)> -          WSE 3.0 (English US)> -          IIS as Web server (it seems WSE does not work with cassini> (VS.2005 Web Server).)>> Future Production Environment> On the other hand, as I said, WSE 3.0-Kerberos works properly with Windows> Server 2003-SP1 and IIS 6.0 Pool process (w3wp.exe)
> default identity> (NETWORK SERVICE).>> So, to sum up:> Do I need to do anything else to make WSE 3.0 work with ASPNET accountover> Windows XP - SP2? (I already gave ASPNET account "Act as part of Operating> System" privilege using Local Security Setting and re-booted my machines).>> Thanks in advanced,>> César de la Torre> [Microsoft MVP - XML Web Services]> [MCSE] [MCT]> Software Architect>> Renacimiento> Microsoft GOLD Certifed Partner
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.