 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / January 2006Using kerberosSecurity Throws Security Exception
I've tried to implement the kerberosSecurity turnkey scenario on my apps, and I'm getting the following exception when I try to set the policy. Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException: InitializeSecurityContext call failed with the following error message: A specified logon session does not exist. It may already have been terminated. This is running on XP SP2, and I have granted ASPNET the right to Act as part of the OS (and subsequently rebooted). I have integrated authentication turned on for the web app (the client of my web service). What I am trying to achieve is flowing the integrated auth security token to my web service. My client policy (on my web app) is below. <policies> <extensions> <extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="KerberosClientPolicy"> <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" signatureConfirmation="false" protectionOrder="SignBeforeEncrypting" deriveKeys="false" actor=""> <token> <kerberos targetPrincipal="host/DGP1FR51" impersonationLevel="Identification" /> </token> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </kerberosSecurity> </policy> </policies> The target machine is local and is hosting a simple web service (this is just a proof of concept app). What else am I missing, or will the kerberos turnkey assertion not work with a web app client?  SignatureJ. Ambrose Little ASP.NET MVP/ASPInsider ----- Non nobis Domine non nobis sed nomini Tuo da gloriam. On a hunch, I tried turning on identity impersonation for my web app. This seems to have gotten me past this hurdle. To sum up: Turn off anonymous access in IIS Directory Security and ensure Integrated authentication is on for the web app. Set these settings in the web.config: <authentication mode="Windows" /> <identity impersonate="true" /> Then do the standard WSE 3 setup. No on to setting up the web service correctly... :) SignatureJ. Ambrose Little ASP.NET MVP/ASPInsider ----- Non nobis Domine non nobis sed nomini Tuo da gloriam. > I've tried to implement the kerberosSecurity turnkey scenario on my apps, and > I'm getting the following exception when I try to set the policy. [quoted text clipped - 47 lines] > What else am I missing, or will the kerberos turnkey assertion not work with > a web app client? I had the same problem and the only way I made it work is with a Domain Account with a Custom Principal Name using SetSPN.exe utility. I reported this issue (does not work WSE 3.0 + XP-SP2 with ASPNET account) to Microsoft-PSS in December 2005 and currently they have no reached any solution about it (how to make it work with ASPNET account). May be WSE 3.0 documentation is wrong. Currently, they passed this issue to WSE 3.0 product group. BTW, with Windows Server 2003 everything works great by default (using Network Services account for IIS process pool). So, to sum up, yes, currently, over Windows XP-SP2, WSE 3.0-Kerberos does not work with ASPNET account. The only way is using a Domain account with a custom pricipal name (using Setspn.exe utility in a DC). This way you do not need to turn off anonymous access in IIS. SignatureCESAR DE LA TORRE Software Architect [Microsoft MVP - XML Web Services] [MCSE] [MCT] Renacimiento [Microsoft GOLD Certified Partner] > On a hunch, I tried turning on identity impersonation for my web app. This > seems to have gotten me past this hurdle. [quoted text clipped - 61 lines] > > What else am I missing, or will the kerberos turnkey assertion not work with > > a web app client? I am experiencing this error while trying to use a Windows XP client application to access a web service located on a W2k3 server. if i run the client app on the server, it works fine. i thought since the service was running on the server it should work even with an XP client app, but I can't get it working. The documentation says to "Configure constrained delegation", but I don't think I want that. I'm just trying to use the Kerberos turnkey assertion in its simplest form. thanks! josh > I had the same problem and the only way I made it work is with a Domain > Account with a Custom Principal Name using SetSPN.exe utility. I reported [quoted text clipped - 77 lines] > > > What else am I missing, or will the kerberos turnkey assertion not work with > > > a web app client?
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.