| Groups | Blog | Home |
dotnet web services enhancements : Using kerberosSecurity Throws Security Exception
I'm getting the following exception when I try to set the policy. Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException: InitializeSecurityContext call failed with the following error message: A specified logon session does not exist. It may already have been terminated. This is running on XP SP2, and I have granted ASPNET the right to Act as part of the OS (and subsequently rebooted). I have integrated authentication turned on for the web app (the client of my web service). What I am trying to achieve is flowing the integrated auth security token to my web service. My client policy (on my web app) is below. <policies> <extensions> <extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="KerberosClientPolicy"> <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" signatureConfirmation="false" protectionOrder="SignBeforeEncrypting" deriveKeys="false" actor=""> <token> <kerberos targetPrincipal="host/DGP1FR51" impersonationLevel="Identification" /> </token> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </kerberosSecurity> </policy> </policies> The target machine is local and is hosting a simple web service (this is just a proof of concept app). What else am I missing, or will the kerberos turnkey assertion not work with a web app client? -- J. Ambrose Little ASP.NET MVP/ASPInsider -----
On a hunch, I tried turning on identity impersonation for my web app. This
seems to have gotten me past this hurdle. To sum up: Turn off anonymous access in IIS Directory Security and ensure Integrated authentication is on for the web app. Set these settings in the web.config: <authentication mode="Windows" /> <identity impersonate="true" /> Then do the standard WSE 3 setup. No on to setting up the web service correctly... :) -- J. Ambrose Little ASP.NET MVP/ASPInsider ----- Non nobis Domine non nobis sed nomini Tuo da gloriam. [quoted text, click to view] "J. Ambrose Little" wrote:
> I've tried to implement the kerberosSecurity turnkey scenario on my apps, and > I'm getting the following exception when I try to set the policy. > > Description: The application attempted to perform an operation not allowed > by the security policy. To grant this application the required permission > please contact your system administrator or change the application's trust > level in the configuration file. > > Exception Details: System.Security.SecurityException: > InitializeSecurityContext call failed with the following error message: A > specified logon session does not exist. It may already have been terminated. > > This is running on XP SP2, and I have granted ASPNET the right to Act as > part of the OS (and subsequently rebooted). I have integrated authentication > turned on for the web app (the client of my web service). > > What I am trying to achieve is flowing the integrated auth security token to > my web service. My client policy (on my web app) is below. > > <policies> > <extensions> > <extension name="kerberosSecurity" > type="Microsoft.Web.Services3.Design.KerberosAssertion, > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > PublicKeyToken=31bf3856ad364e35" /> > </extensions> > <policy name="KerberosClientPolicy"> > <kerberosSecurity establishSecurityContext="false" > renewExpiredSecurityContext="true" signatureConfirmation="false" > protectionOrder="SignBeforeEncrypting" deriveKeys="false" actor=""> > <token> > <kerberos targetPrincipal="host/DGP1FR51" > impersonationLevel="Identification" /> > </token> > <protection> > <request signatureOptions="IncludeAddressing, IncludeTimestamp, > IncludeSoapBody" encryptBody="true" /> > <response signatureOptions="IncludeAddressing, IncludeTimestamp, > IncludeSoapBody" encryptBody="true" /> > <fault signatureOptions="IncludeAddressing, IncludeTimestamp, > IncludeSoapBody" encryptBody="false" /> > </protection> > </kerberosSecurity> > </policy> > </policies> > > The target machine is local and is hosting a simple web service (this is > just a proof of concept app). > > What else am I missing, or will the kerberos turnkey assertion not work with > a web app client? > > -- > J. Ambrose Little > ASP.NET MVP/ASPInsider > -----
I had the same problem and the only way I made it work is with a Domain
Account with a Custom Principal Name using SetSPN.exe utility. I reported this issue (does not work WSE 3.0 + XP-SP2 with ASPNET account) to Microsoft-PSS in December 2005 and currently they have no reached any solution about it (how to make it work with ASPNET account). May be WSE 3.0 documentation is wrong. Currently, they passed this issue to WSE 3.0 product group. BTW, with Windows Server 2003 everything works great by default (using Network Services account for IIS process pool). So, to sum up, yes, currently, over Windows XP-SP2, WSE 3.0-Kerberos does not work with ASPNET account. The only way is using a Domain account with a custom pricipal name (using Setspn.exe utility in a DC). This way you do not need to turn off anonymous access in IIS. -- CESAR DE LA TORRE Software Architect [Microsoft MVP - XML Web Services] [MCSE] [MCT] Renacimiento [Microsoft GOLD Certified Partner] [quoted text, click to view] "J. Ambrose Little" wrote:
> On a hunch, I tried turning on identity impersonation for my web app. This > seems to have gotten me past this hurdle. > > To sum up: > Turn off anonymous access in IIS Directory Security and ensure Integrated > authentication is on for the web app. > Set these settings in the web.config: > <authentication mode="Windows" /> > <identity impersonate="true" /> > > Then do the standard WSE 3 setup. > > No on to setting up the web service correctly... :) > > -- > J. Ambrose Little > ASP.NET MVP/ASPInsider > ----- > Non nobis Domine non nobis sed nomini Tuo da gloriam. > > > "J. Ambrose Little" wrote: > > > I've tried to implement the kerberosSecurity turnkey scenario on my apps, and > > I'm getting the following exception when I try to set the policy. > > > > Description: The application attempted to perform an operation not allowed > > by the security policy. To grant this application the required permission > > please contact your system administrator or change the application's trust > > level in the configuration file. > > > > Exception Details: System.Security.SecurityException: > > InitializeSecurityContext call failed with the following error message: A > > specified logon session does not exist. It may already have been terminated. > > > > This is running on XP SP2, and I have granted ASPNET the right to Act as > > part of the OS (and subsequently rebooted). I have integrated authentication > > turned on for the web app (the client of my web service). > > > > What I am trying to achieve is flowing the integrated auth security token to > > my web service. My client policy (on my web app) is below. > > > > <policies> > > <extensions> > > <extension name="kerberosSecurity" > > type="Microsoft.Web.Services3.Design.KerberosAssertion, > > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > > PublicKeyToken=31bf3856ad364e35" /> > > </extensions> > > <policy name="KerberosClientPolicy"> > > <kerberosSecurity establishSecurityContext="false" > > renewExpiredSecurityContext="true" signatureConfirmation="false" > > protectionOrder="SignBeforeEncrypting" deriveKeys="false" actor=""> > > <token> > > <kerberos targetPrincipal="host/DGP1FR51" > > impersonationLevel="Identification" /> > > </token> > > <protection> > > <request signatureOptions="IncludeAddressing, IncludeTimestamp, > > IncludeSoapBody" encryptBody="true" /> > > <response signatureOptions="IncludeAddressing, IncludeTimestamp, > > IncludeSoapBody" encryptBody="true" /> > > <fault signatureOptions="IncludeAddressing, IncludeTimestamp, > > IncludeSoapBody" encryptBody="false" /> > > </protection> > > </kerberosSecurity> > > </policy> > > </policies> > > > > The target machine is local and is hosting a simple web service (this is > > just a proof of concept app). > > > > What else am I missing, or will the kerberos turnkey assertion not work with > > a web app client? > > > > -- > > J. Ambrose Little > > ASP.NET MVP/ASPInsider > > -----
I am experiencing this error while trying to use a Windows XP client
application to access a web service located on a W2k3 server. if i run the client app on the server, it works fine. i thought since the service was running on the server it should work even with an XP client app, but I can't get it working. The documentation says to "Configure constrained delegation", but I don't think I want that. I'm just trying to use the Kerberos turnkey assertion in its simplest form. thanks! josh [quoted text, click to view] "CESAR DE LA TORRE [MVP]" wrote:
> I had the same problem and the only way I made it work is with a Domain > Account with a Custom Principal Name using SetSPN.exe utility. I reported > this issue (does not work WSE 3.0 + XP-SP2 with ASPNET account) to > Microsoft-PSS in December 2005 and currently they have no reached any > solution about it (how to make it work with ASPNET account). May be WSE 3.0 > documentation is wrong. Currently, they passed this issue to WSE 3.0 product > group. > > BTW, with Windows Server 2003 everything works great by default (using > Network Services account for IIS process pool). > > So, to sum up, yes, currently, over Windows XP-SP2, WSE 3.0-Kerberos does > not work with ASPNET account. The only way is using a Domain account with a > custom pricipal name (using Setspn.exe utility in a DC). > This way you do not need to turn off anonymous access in IIS. > > -- > CESAR DE LA TORRE > Software Architect > [Microsoft MVP - XML Web Services] > [MCSE] [MCT] > > Renacimiento > [Microsoft GOLD Certified Partner] > > > "J. Ambrose Little" wrote: > > > On a hunch, I tried turning on identity impersonation for my web app. This > > seems to have gotten me past this hurdle. > > > > To sum up: > > Turn off anonymous access in IIS Directory Security and ensure Integrated > > authentication is on for the web app. > > Set these settings in the web.config: > > <authentication mode="Windows" /> > > <identity impersonate="true" /> > > > > Then do the standard WSE 3 setup. > > > > No on to setting up the web service correctly... :) > > > > -- > > J. Ambrose Little > > ASP.NET MVP/ASPInsider > > ----- > > Non nobis Domine non nobis sed nomini Tuo da gloriam. > > > > > > "J. Ambrose Little" wrote: > > > > > I've tried to implement the kerberosSecurity turnkey scenario on my apps, and > > > I'm getting the following exception when I try to set the policy. > > > > > > Description: The application attempted to perform an operation not allowed > > > by the security policy. To grant this application the required permission > > > please contact your system administrator or change the application's trust > > > level in the configuration file. > > > > > > Exception Details: System.Security.SecurityException: > > > InitializeSecurityContext call failed with the following error message: A > > > specified logon session does not exist. It may already have been terminated. > > > > > > This is running on XP SP2, and I have granted ASPNET the right to Act as > > > part of the OS (and subsequently rebooted). I have integrated authentication > > > turned on for the web app (the client of my web service). > > > > > > What I am trying to achieve is flowing the integrated auth security token to > > > my web service. My client policy (on my web app) is below. > > > > > > <policies> > > > <extensions> > > > <extension name="kerberosSecurity" > > > type="Microsoft.Web.Services3.Design.KerberosAssertion, > > > Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, > > > PublicKeyToken=31bf3856ad364e35" /> > > > </extensions> > > > <policy name="KerberosClientPolicy"> > > > <kerberosSecurity establishSecurityContext="false" > > > renewExpiredSecurityContext="true" signatureConfirmation="false" > > > protectionOrder="SignBeforeEncrypting" deriveKeys="false" actor=""> > > > <token> > > > <kerberos targetPrincipal="host/DGP1FR51" > > > impersonationLevel="Identification" /> > > > </token> > > > <protection> > > > <request signatureOptions="IncludeAddressing, IncludeTimestamp, > > > IncludeSoapBody" encryptBody="true" /> > > > <response signatureOptions="IncludeAddressing, IncludeTimestamp, > > > IncludeSoapBody" encryptBody="true" /> > > > <fault signatureOptions="IncludeAddressing, IncludeTimestamp, > > > IncludeSoapBody" encryptBody="false" /> > > > </protection> > > > </kerberosSecurity> > > > </policy> > > > </policies> > > > > > > The target machine is local and is hosting a simple web service (this is > > > just a proof of concept app). > > > > > > What else am I missing, or will the kerberos turnkey assertion not work with > > > a web app client? > > > > > > -- > > > J. Ambrose Little > > > ASP.NET MVP/ASPInsider > > > -----
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |