Totally lost with c# web service execution as remote identity

[todd_groten]

Alright, I've been searching around for some time and have not been
able to find anything concrete on fixing an issue I am having. Here's
the situation:

1) I have a non-anonymous webservice running on a w2k3ee sp1 server
2) I am behind a corporate firewall, but was able to get our network
services group to punch a hole at port 80 through.
3) I'm running the webservice using an impersonation to the service
account and have the pool configured to run under this account, as
well.
4) My webservice needs to go out and time stamp files, using an
external TSA, sorta like Verisign's or Comodo's Time Stamp Authority
URL.
5) The webservice executes perfectly, when a service account is logged
in on the console, however, it ceases to function when logged off.
6) (I think this is the crux of my issue...)Once the svc account has
logged in, the service runs fine without that user logged in, until the
Kerberos ticket expires and it tries to renew itself and can't grab the
user, b/c it's not logged in.

I've tried several different scenarios of having the service and/or web
site run as alternate values. (localsystem, local service, network
service, Domain service account and local service account) I've made
the accounts local admins on the box and have run ProxyCFG in both
direct mode and with current user configurations. I've also run
through different levels of impersonation (machine.config &
web.config).

Has anyone out there run into this type of issue, where the service
needs to make an external web call? I'm quite perplexed and pulling
out what's left of my hair.

Thanks,

-TGroten

 

[V.Mahadev]

Hi
1.I really go with todd on it but just thinking another workaround how about
creating a separate web service to access external sites or services and
call this service from your service but dont use impersonation.

2. Why service fails to grab a k ticket it should n't if it is a machine
account or the accounts u mentioned.

Check the following attributes values in the config file
processModel
comAuthenticationLevel
comImpersonationLevel
useName and password
and check this article
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q326089


If this helps let me know. I guess delegation is not enable in your case

VMDev

 

[V.Mahadev]

Even this may be of little help

https://blogs.msdn.com/dansellers/archive/2004/03.aspx

especially this part
Generally, it's not a good idea to run all code while impersonating. This
can lead to some weird problems with permissions on kernel objects (threads,
processes, named synchronization objects) that get created while
impersonating. It also prevents efficient database connection pooling.

If you really need to impersonate the authenticated user, a better approach
might be to do it manually as described here:

http://support.microsoft.com/?id=306158

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =

((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

//Insert your code that runs under the security context of the
authenticating user here.

impersonationContext.Undo();

good luck