Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / March 2005

Tip: Looking for answers? Try searching our database.

Kerberos2 through a firewall

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Julian Jelfs - 24 Mar 2005 17:47 GMT
Hi,

I'm having a problem with the following architecture:

Web services hosted on server A which is a windows 2000 machine.
Sharepoint web app on server B which is a windows 2003 machine.

Server B calls the web services on server A. The sharepoint site is
configured to require intergrated windows authentication.

Both server A and server B belong to the same domain controlled by a windows
2000 domain controller (server C).  Server B is trusted for delegation in
active directory on server C.

Now when I browse to my sharepoint site from any machine on my LAN and enter
credentials for a domain account set up on server C everything works fine.
Server B creates the web request, gets a KerberosToken2 and signs the message
and sends the request to server A.

However, when there is a firewall between the browser and server B the
creation of the KerberosToken2 on server B fails with the following message:

A specified logon session does not exist. It may already have been
terminated.

For the purposes of this test I allowed any traffic to pass through the
firewall to server B (or at least I think I did), but it still doesn't work.

My question is should what I am attempting to do be possible? And if so what
steps do I need to take to make it work? Also I need to find out the minimum
firewall settings which will allow this to work in the real world.

Any help would be greatly appreciated as I've come very close to getting a
workable solution now.

Thanks in advance.

Julian Jelfs.
Reply to this Message
Dominick Baier [DevelopMentor] - 24 Mar 2005 18:19 GMT
Hello Julian,

2 questions

a) why do you have to enter domain credentials for sharepoint if you are
doing integrated auth?
b) the web service request - under which identity do you want to send - server
identity or impersonated client identity?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi,
>
[quoted text clipped - 37 lines]
>
> Julian Jelfs.
Reply to this Message
Julian Jelfs - 29 Mar 2005 09:13 GMT
Dominick,

a) I mean that the user enters their credentials when they first log into
the sharepoint site. Admittedly, whether this was done explicitly or not
would depend on their browser security settings. Either way, when I'm
executing code on the sharepoint server I will be impersonating the actual
user rather than running as ASPNET or whatever.

b)  I think I just need to be able to identify the client user in the web
service. As such I'm creating the kerberostoken2 with the identify
impersonation level rather than impersonate.

I hope this answers your questions and you can help. Thanks for responding...

Julian.

> Hello Julian,
>
[quoted text clipped - 50 lines]
> >
> > Julian Jelfs.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.