|
|
You're in the
dotnet web services enhancements
group:WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account
dotnet web services enhancements:
I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos
authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005 client) to Server Tier through our Web Services (based on WSE 3.0). Having our WSE 3.0-WebService over Windows Server 2003, everything works great, but, over Windows XP, I have a problem (which is documented in WSE 3.0 help) but its workaround does not work properly (at least with my current testing). The problem is that ASP.NET default user in Windows XP (ASPNET user account) does not have privileges enough for running Kerberos authentication over WSE 3.0 Web Services, so, by default, using ASPNET account, it does not work (we get WSE910 exception). There is a MSFT sample where you can test it (WSSecurityKerberos) provided with WSE 3.0 Setup. Also, WSE samples Help documentation says the same, and gives a workaround: ===================================================================================================================================================================== Running the Kerberos Sample - WSSecurityKerberos On Microsoft® Windows® XP and Microsoft® Windows® 2000 Server, the Kerberos Security sample (WSSecurityKerberos) requires additional higher privilege settings for the ASPNET account. There are several ways to enable this. One is to give ASPNET account "Act as part of Operating System" privilege using Local Security Setting, and then reboot the system. Another alternative is to modify machine.config by setting the username attribute equal to "system" in the ProcessModel element, and then reset IIS. NOTE: By default the policy version of the WSSecurityKerberos does not work and throws an exception. This is because the machine name where the service is running needs to be updated in the wse3policyCache.config in the WSSecurityKerberosPolicyClient project to the machine where the service is installed. ===================================================================================================================================================================== Using SYSTEM account as aspnet_wp.exe WinXP-IIS pool process identity (changing machine.config) with WSE 3.0-Kerberos over Windows XP, does work properly, BUT, the problem we have is that we DO NEED to run our XML Web Service with any account (like ASPNET) except SYSTEM account (because we'll need to use also AzMan / Authentication Manager and it does not work with SYSTEM account over Windows XP, but this shouldn't be part of this question.). The behaviour I am describing you can reproduce it just with WSSecurityKerberos sample, without using AzMan within the same project. So, taking a simple look, our solution would be changing ASPNET privileges, enabling it to "Act as part of Operating System", using its Local Policy "Act as part of Operating System". BUT, we have made it, rebooted the machine, but it does not work at all (we get same exception). I have tested it in several Windows XP-SP2 machines with no luck. So, do we need to do anything else to make it work with ASPNET account?. (We already gave ASPNET account "Act as part of Operating System" privilege using Local Security Setting). Down below you can read my different environments: Development Environment: - Windows XP - SP2 (English US) - Visual Studio 2005 Team Developer Edition (English US) - WSE 3.0 (English US) - IIS as Web server (it seems WSE does not work with cassini (VS.2005 Web Server).) Future Production Environment On the other hand, as I said, WSE 3.0-Kerberos works properly with Windows Server 2003-SP1 and IIS 6.0 Pool process (w3wp.exe) default identity (NETWORK SERVICE). So, to sum up: Do I need to do anything else to make WSE 3.0 work with ASPNET account over Windows XP - SP2? (I already gave ASPNET account "Act as part of Operating System" privilege using Local Security Setting and re-booted my machines). Thanks in advanced, César de la Torre [Microsoft MVP - XML Web Services] [MCSE] [MCT] Software Architect Renacimiento
I've tried the steps that article says, and it does not work neither...
1.- Using a Domain Account 2.- Grant "Log on as a service" and "Impersonate a client after authentication" to that domain account 3.- Full Control to "C:\%WINDOWS%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" 4.- Create an arbitrary SPN for the domain account, with setspn.exe, at my DC. 5.- Re-boot of my WebService machine BTW, it does not say anything about how can we use ASPNET account, like WSE 3.0 readme file says (Granting just "Act as part of Operating System" to ASPNET account). Except using SYSTEM account, all the other possibilities seem very obscure and contradictory all around MSFT documentation even in News Groups, etc... But my problem is, in my case, I cannot use SYSTEM account... Down below you can read those steps taken from the article you said: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch7_KerbTechSupp.asp Using a Domain Account with IIS 5.x (Windows 2000 and Windows XP) Instead of using the default account that is defined in the <ProcessModel/> element of the Machine.config file, a service can use a domain user account as the process identity. The domain account needs additional privileges and if it is used for message layer security, an arbitrary SPN should be created. To configure a domain account for the Kerberos protocol on a computer running IIS 5.x: Create a new user account in the domain (KDC realm) and add that account to the user group. This account does not need additional privileges on the domain computer. This means that you are using an account with the fewest privileges. On the computer running IIS 5.x, the new domain account requires the following rights, which can be assigned with the Local Security Settings configuration tool: Log on as a service Impersonate a client after authentication Assign Full Control permissions to the new domain account for the following folder on the IIS 5.x host: C:\%WINDOWS%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files Update the <ProcessModel/> element in the Machine.config file on the computer that is running IIS 5.x. Both the user name and password need to be updated to values associated with the new domain account. Restart IIS. Note The following step is required when you are using message layer security with the Kerberos protocol. When you use standard Windows authentication, it is not necessary to create an SPN for the account unless the account will be used for Delegation. Use the setspn.exe tool to create an arbitrary SPN for the domain account. This action is performed on the Active Directory domain controller, not on the computer that is running IIS 5.x. To perform this action, you must be an administrator or have SetPrincipalName permissions on the domain controller. The following example creates an arbitrary SPN named AcmeService/GlobalBank that maps to a Windows account named WS_Account: setspn –a AcmeService/GlobalBank WS_Account When you create a domain account that will be used for delegation with Windows Integrated Security, it should map to the HTTP host-based SPN. If you use message layer security with WSE 3.0, use an arbitrary SPN as previously described. Finally, the process model used by IIS 6.0 in Windows Server 2003 is very different from IIS 5.x. As a result, the steps previously described will not work in Windows Server 2003. Any other idea would be greatly apreciated. Thanks in advanced. -- CESAR DE LA TORRE Software Architect [Microsoft MVP - XML Web Services] [MCSE] [MCT] Renacimiento [Microsoft GOLD Certified Partner] [quoted text, click to view] "Pablo Cibraro" wrote: WSE910 exception).>> There is a MSFT sample where you can test it (WSSecurityKerberos) provided> with WSE 3.0 Setup.>> Also, WSE samples Help documentation says the same, and gives aworkaround:>=====================================================================================================================================================================> Running the Kerberos Sample - WSSecurityKerberos> On Microsoft® Windows® XP and Microsoft® Windows® 2000 Server, theKerberos> Security sample (WSSecurityKerberos) requires additional higher privilege> settings for the ASPNET account. There are several ways to enable this.One> is to give ASPNET account "Act as part of Operating System" privilegeusing> Local Security Setting, and then reboot the system. Another alternative is> to modify machine.config by setting the username attribute equal to"system"> in the ProcessModel element, and then reset IIS.>> NOTE: By default the policy version of the WSSecurityKerberos does notwork> and > Hi Cesar, > You can find good documentation regarding this topic in the following link > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch7_KerbTechSupp.aspRegards,Pablo Cibrarohttp://weblogs.asp.net/cibraxhttp://www.lagash.com"CESAR DE LA TORRE [MVP]" <cdltll@hotmail.com> wrote in messagenews:55BFA492-4DEA-4015-B2FA-32899068B02B@microsoft.com...>I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos> authentication and passing Kerberos ticket from Presentation Tier(VSTO.2005> client) to Server Tier through our Web Services (based on WSE 3.0).>> Having our WSE 3.0-WebService over Windows Server 2003, everything works> great, but, over Windows XP, I have a problem (which is documented in WSE> 3.0 help) but its workaround does not work properly (at least with my> current testing).>> The problem is that ASP.NET default user in Windows XP (ASPNET useraccount)> does not have privileges enough for running Kerberos authentication overWSE> 3.0 Web Services, so, by default, using ASPNET account, it does not work(we> get throws an exception. This is because the machine name where theservice> is running needs to be updated in the wse3policyCache.config in the> WSSecurityKerberosPolicyClient project to the machine where the service is> installed.>=====================================================================================================================================================================>> Using SYSTEM account as aspnet_wp.exe WinXP-IIS pool process identity> (changing machine.config) with WSE 3.0-Kerberos over Windows XP, does work> properly, BUT, the problem we have is that we DO NEED to run our XML Web> Service with any account (like ASPNET) except SYSTEM account (becausewe'll> need to use also AzMan / Authentication Manager and it does not work with> SYSTEM account over Windows XP, but this shouldn't be part of this> question.). The behaviour I am describing you can reproduce it just with> WSSecurityKerberos sample, without using AzMan within the same project.>> So, taking a
Hi Cesar,
You can find good documentation regarding this topic in the following link [quoted text, click to view] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch7_KerbTechSupp.aspRegards,Pablo Cibrarohttp://weblogs.asp.net/cibraxhttp://www.lagash.com"CESAR DE LA TORRE [MVP]" <cdltll@hotmail.com> wrote in messagenews:55BFA492-4DEA-4015-B2FA-32899068B02B@microsoft.com...>I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos> authentication and passing Kerberos ticket from Presentation Tier(VSTO.2005> client) to Server Tier through our Web Services (based on WSE 3.0).>> Having our WSE 3.0-WebService over Windows Server 2003, everything works> great, but, over Windows XP, I have a problem (which is documented in WSE> 3.0 help) but its workaround does not work properly (at least with my> current testing).>> The problem is that ASP.NET default user in Windows XP (ASPNET useraccount)> does not have privileges enough for running Kerberos authentication overWSE> 3.0 Web Services, so, by default, using ASPNET account, it does not work(we> get WSE910 exception).>> There is a MSFT sample where you can test it (WSSecurityKerberos) provided> with WSE 3.0 Setup.>> Also, WSE samples Help documentation says the same, and gives aworkaround:>=====================================================================================================================================================================> Running the Kerberos Sample - WSSecurityKerberos> On Microsoft® Windows® XP and Microsoft® Windows® 2000 Server, theKerberos> Security sample (WSSecurityKerberos) requires additional higher privilege> settings for the ASPNET account. There are several ways to enable this.One> is to give ASPNET account "Act as part of Operating System" privilegeusing> Local Security Setting, and then reboot the system. Another alternative is> to modify machine.config by setting the username attribute equal to"system"> in the ProcessModel element, and then reset IIS.>> NOTE: By default the policy version of the WSSecurityKerberos does notwork> and throws an exception. This is because the machine name where theservice> is running needs to be updated in the wse3policyCache.config in the> WSSecurityKerberosPolicyClient project to the machine where the service is> installed.>=====================================================================================================================================================================>> Using SYSTEM account as aspnet_wp.exe WinXP-IIS pool process identity> (changing machine.config) with WSE 3.0-Kerberos over Windows XP, does work> properly, BUT, the problem we have is that we DO NEED to run our XML Web> Service with any account (like ASPNET) except SYSTEM account (becausewe'll> need to use also AzMan / Authentication Manager and it does not work with> SYSTEM account over Windows XP, but this shouldn't be part of this> question.). The behaviour I am describing you can reproduce it just with> WSSecurityKerberos sample, without using AzMan within the same project.>> So, taking a simple look, our solution would be changing ASPNETprivileges,> enabling it to "Act as part of Operating System", using its Local Policy> "Act as part of Operating System".>> BUT, we have made it, rebooted the machine, but it does not work at all(we> get same exception). I have tested it in several Windows XP-SP2 machines> with no luck. So, do we need to do anything else to make it work withASPNET> account?. (We already gave ASPNET account "Act as part of OperatingSystem"> privilege using Local Security Setting).>> Down below you can read my different environments:>> Development Environment:> - Windows XP - SP2 (English US)> - Visual Studio 2005 Team Developer Edition (English US)> - WSE 3.0 (English US)> - IIS as Web server (it seems WSE does not work with cassini> (VS.2005 Web Server).)>> Future Production Environment> On the other hand, as I said, WSE 3.0-Kerberos works properly with Windows> Server 2003-SP1 and IIS 6.0 Pool process (w3wp.exe) default identity> (NETWORK SERVICE).>> So, to sum up:> Do I need to do anything else to make WSE 3.0 work with ASPNET accountover> Windows XP - SP2? (I already gave ASPNET account "Act as part of Operating> System" privilege using Local Security Setting and re-booted my machines).>> Thanks in advanced,>> César de la Torre> [Microsoft MVP - XML Web Services]> [MCSE] [MCT]> Software Architect>> Renacimiento> Microsoft GOLD Certifed Partner
Finally (before xmas holidays) I made it work with a Domain Account with a
Custom Principal Name using SetSPN.exe utility. I reported this issue (does not work WSE 3.0 + XP-SP2 with ASPNET account) to Microsoft-PSS in December 2005 and currently they have no reached any solution about it (how to make it work with ASPNET account). May be WSE 3.0 documentation is wrong. Currently, they passed this issue to WSE 3.0 product group. BTW, with Windows Server 2003 everything works great by default (using Network Services account for IIS process pool). So, to sum up, yes, currently, over Windows XP-SP2, WSE 3.0-Kerberos does not work with ASPNET account. The only way is using a Domain account with a custom pricipal name (using Setspn.exe utility in a DC). -- CESAR DE LA TORRE Software Architect [Microsoft MVP - XML Web Services] [MCSE] [MCT] Renacimiento [Microsoft GOLD Certified Partner] [quoted text, click to view] "CESAR DE LA TORRE [MVP]" wrote: and > I've tried the steps that article says, and it does not work neither... > 1.- Using a Domain Account > 2.- Grant "Log on as a service" and "Impersonate a client after > authentication" to that domain account > 3.- Full Control to > "C:\%WINDOWS%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files" > 4.- Create an arbitrary SPN for the domain account, with setspn.exe, at my DC. > 5.- Re-boot of my WebService machine > > BTW, it does not say anything about how can we use ASPNET account, like WSE > 3.0 readme file says (Granting just "Act as part of Operating System" to > ASPNET account). > Except using SYSTEM account, all the other possibilities seem very obscure > and contradictory all around MSFT documentation even in News Groups, etc... > But my problem is, in my case, I cannot use SYSTEM account... > Down below you can read those steps taken from the article you said: > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch7_KerbTechSupp.asp > Using a Domain Account with IIS 5.x (Windows 2000 and Windows XP) > Instead of using the default account that is defined in the <ProcessModel/> > element of the Machine.config file, a service can use a domain user account > as the process identity. The domain account needs additional privileges and > if it is used for message layer security, an arbitrary SPN should be created. > > To configure a domain account for the Kerberos protocol on a computer > running IIS 5.x: > > Create a new user account in the domain (KDC realm) and add that account to > the user group. This account does not need additional privileges on the > domain computer. This means that you are using an account with the fewest > privileges. > On the computer running IIS 5.x, the new domain account requires the > following rights, which can be assigned with the Local Security Settings > configuration tool: > Log on as a service > Impersonate a client after authentication > Assign Full Control permissions to the new domain account for the following > folder on the IIS 5.x host: > C:\%WINDOWS%\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files > Update the <ProcessModel/> element in the Machine.config file on the > computer that is running IIS 5.x. Both the user name and password need to be > updated to values associated with the new domain account. Restart IIS. > Note The following step is required when you are using message layer > security with the Kerberos protocol. When you use standard Windows > authentication, it is not necessary to create an SPN for the account unless > the account will be used for Delegation. > Use the setspn.exe tool to create an arbitrary SPN for the domain account. > This action is performed on the Active Directory domain controller, not on > the computer that is running IIS 5.x. To perform this action, you must be an > administrator or have SetPrincipalName permissions on the domain controller. > The following example creates an arbitrary SPN named AcmeService/GlobalBank > that maps to a Windows account named WS_Account: > setspn –a AcmeService/GlobalBank WS_Account > When you create a domain account that will be used for delegation with > Windows Integrated Security, it should map to the HTTP host-based SPN. If you > use message layer security with WSE 3.0, use an arbitrary SPN as previously > described. Finally, the process model used by IIS 6.0 in Windows Server 2003 > is very different from IIS 5.x. As a result, the steps previously described > will not work in Windows Server 2003. > > Any other idea would be greatly apreciated. Thanks in advanced. > -- > CESAR DE LA TORRE > Software Architect > [Microsoft MVP - XML Web Services] > [MCSE] [MCT] > > Renacimiento > [Microsoft GOLD Certified Partner] > > > "Pablo Cibraro" wrote: > > > Hi Cesar, > > You can find good documentation regarding this topic in the following link > > > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch7_KerbTechSupp.aspRegards,Pablo Cibrarohttp://weblogs.asp.net/cibraxhttp://www.lagash.com"CESAR DE LA TORRE [MVP]" <cdltll@hotmail.com> wrote in messagenews:55BFA492-4DEA-4015-B2FA-32899068B02B@microsoft.com...>I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos> authentication and passing Kerberos ticket from Presentation Tier(VSTO.2005> client) to Server Tier through our Web Services (based on WSE 3.0).>> Having our WSE 3.0-WebService over Windows Server 2003, everything works> great, but, over Windows XP, I have a problem (which is documented in WSE> 3.0 help) but its workaround does not work properly (at least with my> current testing).>> The problem is that ASP.NET default user in Windows XP (ASPNET useraccount)> does not have privileges enough for running Kerberos authentication overWSE> 3.0 Web Services, so, by default, using ASPNET account, it does not work(we> get > WSE910 exception).>> There is a MSFT sample where you can test it (WSSecurityKerberos) provided> with WSE 3.0 Setup.>> Also, WSE samples Help documentation says the same, and gives aworkaround:>=====================================================================================================================================================================> Running the Kerberos Sample - WSSecurityKerberos> On Microsoft® Windows® XP and Microsoft® Windows® 2000 Server, theKerberos> Security sample (WSSecurityKerberos) requires additional higher privilege> settings for the ASPNET account. There are several ways to enable this.One> is to give ASPNET account "Act as part of Operating System" privilegeusing> Local Security Setting, and then reboot the system. Another alternative is> to modify machine.config by setting the username attribute equal to"system"> in the ProcessModel element, and then reset IIS.>> NOTE: By default the policy version of the WSSecurityKerberos does notwork>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |