kerberos authentication

[webrod]

Hi,

I am trying to secure a WS using WSE 3.0 and kerberos.
I used the "WSE 3.0 settings" from VS2005 with my own WS.


I have a console application which try to access a WS.
With the following configuration it works:
- WS/IIS and AD on the Windows 2003 server
- console application on a Windows XP workstation


With the following configuration it fails:
- AD on a Windows 2003 server
- console application and WS/IIS on a Windows XP workstation


Here is the error messages:
" Server unavailable, please try later"
"An error
occured processing an outgoing fault response. --->
System.Web.Services.Protocols.SoapHeaderException:
Microsoft.Web.Services3.Security.SecurityFault: SecurityContextToken is



expected but not present in the security header of the incoming
message. "
"An invalid security token was provided"
"AcceptSecurityContext call failed with the following
error message: Logon failure: unknown user name or bad password."


I have done a lot of search with google, so here is what I did:
- I have set ASPNET to act as the operating system => problem not
solved
- I have updated web.config to use another user (instead of ASPNET)
from the domain (mydomain\myuser) => problem not solved


What could be the problem??
Do I need to set some specific configuration on AD ??


Thanks for your help


Rod

 

[Willy Denoyette [MVP]]

Hi,

I am trying to secure a WS using WSE 3.0 and kerberos.
I used the "WSE 3.0 settings" from VS2005 with my own WS.


I have a console application which try to access a WS.
With the following configuration it works:
- WS/IIS and AD on the Windows 2003 server
- console application on a Windows XP workstation


With the following configuration it fails:
- AD on a Windows 2003 server
- console application and WS/IIS on a Windows XP workstation


Here is the error messages:
" Server unavailable, please try later"
"An error
occured processing an outgoing fault response. --->
System.Web.Services.Protocols.SoapHeaderException:
Microsoft.Web.Services3.Security.SecurityFault: SecurityContextToken is



expected but not present in the security header of the incoming
message. "
"An invalid security token was provided"
"AcceptSecurityContext call failed with the following
error message: Logon failure: unknown user name or bad password."


I have done a lot of search with google, so here is what I did:
- I have set ASPNET to act as the operating system => problem not
solved
- I have updated web.config to use another user (instead of ASPNET)
from the domain (mydomain\myuser) => problem not solved


What could be the problem??
Do I need to set some specific configuration on AD ??


Thanks for your help


Rod

Kerberos is a NETWORK authentication protocol, that is, it only works across networks, your
client and server (IIS) are running on the same server, that means Kerberos won't be used,
more, there is probably no authentication handshake needed, the client may be already
authenticated and have his token (ticket) cached by the local LSA (provided he's Kerberos
authenticated and not NTLM).
For the same reason it's also discouraged to run IIS (or whatever other service) on the DC
(running AD), many have been bitten by the fact that authentication fails or doesn't work as
expected because both entities aren't connected over a network.

WSE is a web based services infrastructure, you should set-up a test environment with
separate entities when performing security testing .

Willy.
PS. Before we start another endless thread, I would ask you to post WSE 3.0 questions/issues
to the forum at: <http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=46&SiteID=1>
AD related issues are better posted to one of the many directory related NG's like:
Microsoft.public.active.directory.interfaces

 

[webrod]

thanks willy,

actually, you said that IIS should not be on the AD server, and that
the client should not be on the same server as IIS.
Si I ran the client from the AD server and uses IIS on the XP
workstation.
I got the same error message.
For the time being, I can only use 2 PC for my test, my IT team provide
me a separate network for my test with only 2 pc (this is because the
main network is base on NT and IT policy disallow a AD directory within
this network!!)

I have posted the same message here
<http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=46&SiteID=1>
as you said.

Rod

 

[Willy Denoyette [MVP]]

thanks willy,

actually, you said that IIS should not be on the AD server, and that
the client should not be on the same server as IIS.

The most important is that you separate the client from the service, that is run the client
on XP and IIS on the server, the fact that IIS and AD are on the same server is something to
watch for when accessing resources (file servers etc..) from IIS or your web applications
hosted by IIS. In your case it's the best you can get, and it's a working configuration,
right?

Si I ran the client from the AD server and uses IIS on the XP
workstation.
I got the same error message.
For the time being, I can only use 2 PC for my test, my IT team provide
me a separate network for my test with only 2 pc (this is because the
main network is base on NT and IT policy disallow a AD directory within
this network!!)

I have posted the same message here
<http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=46&SiteID=1>
as you said.

Ok, I'll try to follow-up.

Willy.

 

[webrod]

The most important is that you separate the client from the service, that is run the client

on XP and IIS on the server, [...]In your case it's the best you can get, and it's a working configuration,
right?

yes, but I am wondering if it's not a "too easy" configuration (IIS and
AD on the same server).
So, OK it works, but in the "real life", AD will be on a separate
server.

That's why I wanted to test with IIS on a separate server (on my
workstation PC) and with this configuration I have the error message.

I'll try to get a third machine...

Thanks for your help

Rod