[Probably Dumb Newbie] Question re WSE3 WSSecurityKerberos Sample

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Howard Hoffman - 07 Mar 2006 22:37 GMT

I'm having no luck getting the sample to work, but I'm thinking this is just
a simple configuration issue.
I'm working with the 'WSSecurityKerberosCode' version of the sample.

I'm in (I think a fairly typical) Windows network. My account is in a
domain, and my machine is also in that domain.

I'm running XP SP2. I've got RTM VS.NET 2005 and RTM WSE3. I ran the setup
and even the Code/CreateSampleVDir.bat scripts.
I've modified the app config of the client, changing the
WSSecurityKerberosCodeClient_localhost_WSSecurityKerberosService entry
to have the localhost port that WebDev.WebServer.exe is using. Maybe I
should be using IIS instead?

When I call the service from the client, I get a WSE3
ResponseProcessingException, containing an InvalidOperationException.

I turned on debug tracing on both client and server.

On client, the output trace seems fine (no errors, that is), but the input
trace has an error, with this faultstring
(omitting stack):

<faultstring>System.Web.Services.Protocols.SoapHeaderException:
Server unavailable, please try later ---> System.ApplicationException:
WSE841: An error occured processing an outgoing fault response. --->
System.Web.Services.Protocols.SoapHeaderException:
Microsoft.Web.Services3.Security.SecurityFault: An invalid security token
was provided ---> System.Security.SecurityException: WSE594:
AcceptSecurityContext call failed with the following error message: A
specified logon session does not exist. It may already have been terminated.
.

If it matters regarding feedback, the WSE3 documentation on troubleshooting
the samples is woefully inadequate to the point of being unusable.
Regarding resolving my problem, where do I start?

Thanks in advance,

Howard Hoffman

Reply to this Message

Howard Hoffman - 07 Mar 2006 22:49 GMT

More info? When I turned debug tracing on the server (I misspoke below and
had not turned it on in the server), I see this at the end of the
<inputMessage> element (inside the element):

<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.RequireSoapHeaderAssertion+RequireSoapHeaderFilter"
/>
<processingStep description="Exited SOAP filter
Microsoft.Web.Services3.Design.RequireSoapHeaderAssertion+RequireSoapHeaderFilter"
/>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.KerberosAssertion+ServiceInputFilter" />
<processingStep description="Exception thrown: An invalid security token
was provided"> at
Microsoft.Web.Services3.Security.Security.LoadToken(XmlElement element,
SecurityConfiguration configuration, Int32& tokenCount)
at Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element)
at Microsoft.Web.Services3.Security.Security.CreateFrom(SoapEnvelope
envelope, String localActor, String serviceActor)
at
Microsoft.Web.Services3.Security.ReceiveSecurityFilter.ProcessMessage(SoapEnvelope
envelope)
at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope
envelope)</processingStep>

Is it referring to the SPN token ("host/"+my-machine-name) or to my client
credential?
Note that I have granted the ASPNET account on the machine the 'Act as part
of Operating System' right.

Thanks,

Howard Hoffman

> I'm having no luck getting the sample to work, but I'm thinking this is
> just
[quoted text clipped - 40 lines]
>
> Howard Hoffman

Reply to this Message

Steven Cheng[MSFT] - 08 Mar 2006 09:47 GMT

Hi Howard,

As for the Kerberos sample of the WSE 3.0, it will have more restricted
requirement compared to other security assertions. Kerberos authentication
will require both client and server side to authenticate against the KDC(
for windows domain it's the DC computer) to get their own master ticket and
for client it also need the ticket to the target machine(it want to visit).
For server-side, the applciation should run under an account which can
retrieve the SP(service principle)'s credential, this SP is the one
clientside is requesting(want to visit). And for your scenario, the
clientside visit a webservice running on the server protected with kerberos
authentication, the SP the client is visiting is the servername (the
computer in the domain), so the server application's running process
idenitity should have the permission to get the machine credential(that
should be the Network Service or Local System). Therefore, first you need
to make your webservice(service applciation hosted in IIS). And are you
running on XP or windows 2003 machine? If on 2003, you can just configure
the webservice's process idenitity(IIS application pool idenitity as
network service). If using windows XP, you'll need to grant ASPNET account
act as part of the OS privilege to make it able to get machine
credential(just as the below note in WSE 3.0 sample document):

===========
On Microsoft? Windows? XP and Microsoft? Windows? 2000 Server, the Kerberos
Security sample (WSSecurityKerberos) requires additional higher privilege
settings for the ASPNET account. There are several ways to enable this. One
is to give ASPNET account "Act as part of Operating System" privilege using
Local Security Setting, and then reboot the system. Another alternative is
to modify machine.config by setting the username attribute equal to
"system" in the ProcessModel element, and then reset IIS.

By default the policy version of the WSSecurityKerberos does not work and
throws an exception. This is because the machine name where the service is
running needs to be updated in the wse3policyCache.config in the
WSSecurityKerberosPolicyClient project to the machine where the service is
installed.
===========================

Regards,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Reply to this Message

Howard Hoffman - 08 Mar 2006 14:31 GMT

Steven -

I can work with my Network Admins to find out the specifics of our Active
Directory / KDC configuration.

In the mean time, I can state:

XP SP2+ all patches automatically downloaded by "Automatic Updates"
Client and Service are *on same machine*
Client and Service are in same SLN (after all, its the
WSSecurityKerberosCode sample that comes with WSE3 -- I'm using that very
SLN -- the one authored by Microsoft).
Machine is in a Domain.
ASPNET account has been granted Act as Part of the Operating System right
via Local Security.

Note, again, that I am not using the WSSecurityKerberosPolicyClient sample.
I am using the
WSSecurityKerberosCode sample.

By default, VS.NET 2005 runs the WebService in the WebDev.WebServer.EXE
application, not IIS.
By default, VS.NET 2005 runs the WebService client application in the
WSSecurityKerberosCodeClient.vhost.exe, not
WSSecurityKerberosCodeClient.exe.

Do those items get in the way of making the sample work?

What should I check with my Network Admins regarding the KDC setup, if
anything?

Thanks,

Howard Hoffman

> Hi Howard,
>
[quoted text clipped - 48 lines]
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)

Reply to this Message

Howard Hoffman - 08 Mar 2006 22:38 GMT

Changed VS.NET Solution (SLN) to use IIS instead of WebDev.WebServer.EXE.
Did not cure the problem.

Still blocked.

Howard

> Steven -
>
[quoted text clipped - 89 lines]
>> (This posting is provided "AS IS", with no warranties, and confers no
>> rights.)

Reply to this Message

Steven Cheng[MSFT] - 10 Mar 2006 10:30 GMT

Seems still something incorrect with the setting. Have you tried putting
the webservice server program on a windows 2k3 box for testing? Also, if
possible you can try testing on some other XP box to isolate the
environment factor.

Regards,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Reply to this Message

[Probably Dumb Newbie] Question re WSE3 WSSecurityKerberos Sample

Free Magazines