Hi all,
shame on me, but i found the problem:
A typo in the configuration file which i did not recognize and the .Net
Remoting did not worry about:
[quoted text, click to view] I wrote
impersonationLevel="Impersonation"
instead of
tokenImpersonationLevel="Impersonation".
So the exception told me exactly the right thing, because i used the default
impersonation level.
But why did RemotingConfiguration.Configure method not notify me ?
Regards,
Frank
[quoted text, click to view] "FrankSt" wrote:
> Hi all,
>
> i have a problem with the following scenario:
>
> (Using VS2005 and .Net 2.0)
> I have two services (name it service1 and service 2) running on the same
> machine with different tasks to do for the client.
> Access to the services should be only local, so i selected the IPC channel.
>
> Client will access service1 and sometimes service1 needs to access service2.
> I need to access both services impersonated due to ACL restrictions.
> (Later in development the access to the service1 is done via IIS, but for
> now the client directly calls service1).
>
> What does not work:
> Impersonated access to service1 works fine via IPC. But further impersonated
> access from service1 to service2 fails with remotingException:
> "A remote side security requirement was not fulfilled during authentication.
> Try increasing client ImpersonationLevel".
>
> I increased the impersonation level to "Delegation" but this does not solve
> the problem.
> Non-impersonated (and non secure) access to service2 works fine.
>
> What does work:
> If the client connect to service1 via IPC and service1 connects to service2
> via TCP, impersonation works fine, i even do not need to set
> impersonationLevel to "Delegation", "Impersonation" is enough.
>
> Problem: Why does the second IPC connection makes this problems ?
>
> Some background:
> If i check the identity, i get correctly the impersonated user and also the
> correct impersonation level; authentication is "NTLM". Access to ACL
> protected ressources works fine.
> The services are hosted on a W2k3R2 server which is not the domain
> controller; the W2k2 servier is part of a W2k3 domain running in W2k native
> mode.
> The IPC channels authorizedGroup member is set correctly, i checked also the
> ACLs of the created NamedPipes, they were correct.
> I assumed at the begining that i maight need Kerberos authentication for
> delegation purposes, but i was not able to get it running. And now with using
> the second channel via TCP i even do not need to have Delegation level
> impersonation.
>
> So if anyone have a glue what might happen, please help me.
>
> Regards,
>
> Frank
