| Groups | Blog | Home |
dotnet web services enhancements : Need Help! Calling WSE 3 (kerb) from a Web app on a separate machi
Folks,
I'm having an issue calling a .NET 2.0 Web Service using WSE 3.0 with Kerberos Policy from an ASP.NET 2.0 Web client on a remote machine (I've tried XP and Win 2003). I can call the web service from my local XP SP 2 machine using a ASP.NET 2.0 client but it does not work if the client ASP.NET web site is on another machine. The Web Service is located on a 2003 remote machine in the domain as well so it is not located on the same machine as the client. - I've setup a arbitrary SPN with a domain account for the web service and the created an app pool to run under this identity. - On the Client web app I set the targetPrincipal accordingly in the policy file <kerberos targetPrincipal="SomeWebService/machine.domain.com" impersonationLevel="Impersonation" /> - On the 2003 and XP clients web sites Integrated Windows Authentication is ON and Anonymous is off - On the 2003 and XP clients we ARE impersonating <identity impersonate="true"/> Can anyone help with this? I would appreciate any responses. I've included the error messages for both the XP and Win 2003 clients. Again, it works if the client is local but not if the client is on another machine. Thanks, Anthony Yott Remote XP Machine in same domain ====================================================================== System.Security.SecurityException: The Kerberos credential handle could not be acquired. The AcquireCredentialsHandle call returned the following error code: The parameter is incorrect. . at Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosCredential..ctor(CredentialUse usage) at Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosClientContext..ctor(String targetPrincipalName, Boolean requireMutualAuthentication, ImpersonationLevel level) at Microsoft.Web.Services3.Security.Tokens.KerberosToken..ctor(String targetPrincipal, ImpersonationLevel level) at Microsoft.Web.Services3.Design.KerberosTokenProvider.GetToken() at Microsoft.Web.Services3.Design.KerberosAssertion.ClientOutputFilter.SecureMessage(SoapEnvelope envelope, Security security, MessageProtectionRequirements request) at Microsoft.Web.Services3.Security.SecureConversationClientSendSecurityFilter.SecureMessage(SoapEnvelope envelope, Security security) at Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Xml.SoapEnvelopeWriter.Finish() at Microsoft.Web.Services3.Xml.XmlWrappingWriter.Flush() at System.Web.Services.Protocols.SoapHttpClientProtocol.Serialize(SoapClientMessage message) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Cox.Web.CryptographyManager.CryptoMgmtService.CryptoManagementServiceWse.GetIngrianAccountInformation(String& IngrianPassword) in C:\Dev\Webservices\zVersions\Cryptography\1.0.0.0\Applications\Web\CryptographyManager\Web References\CryptoMgmtService\Reference.cs:line 170 at Cox.Web.CryptographyManager.MainForm.loadIngrianSetup() in C:\Dev\Webservices\zVersions\Cryptography\1.0.0.0\Applications\Web\CryptographyManager\MainForm.aspx.cs:line 397 The Zone of the assembly that failed was: MyComputer Remote 2003 Machine in same domain ======================================================================== System.Security.SecurityException: The Kerberos credential handle could not be acquired. The AcquireCredentialsHandle call returned the following error code: A specified logon session does not exist. It may already have been terminated. . at Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosCredential..ctor(CredentialUse usage) at Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosClientContext..ctor(String targetPrincipalName, Boolean requireMutualAuthentication, ImpersonationLevel level) at Microsoft.Web.Services3.Security.Tokens.KerberosToken..ctor(String targetPrincipal, ImpersonationLevel level) at Microsoft.Web.Services3.Design.KerberosTokenProvider.GetToken() at Microsoft.Web.Services3.Design.KerberosAssertion.ClientOutputFilter.SecureMessage(SoapEnvelope envelope, Security security, MessageProtectionRequirements request) at Microsoft.Web.Services3.Security.SecureConversationClientSendSecurityFilter.SecureMessage(SoapEnvelope envelope, Security security) at Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Xml.SoapEnvelopeWriter.Finish() at Microsoft.Web.Services3.Xml.XmlWrappingWriter.Flush() at System.Web.Services.Protocols.SoapHttpClientProtocol.Serialize(SoapClientMessage message) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Cox.Web.CryptographyManager.CryptoMgmtService.CryptoManagementServiceWse.GetIngrianAccountInformation(String& IngrianPassword) at Cox.Web.CryptographyManager.MainForm.loadIngrianSetup()
Followup Question. Does the domain account that the SPN was created for and
the App Pool was configured with need to be configured to Delegation? The scenario that fails is: Mach A (ASP.NET WEb App 2003) --> Mach B (ASP.NET Web Service 2003) --> Mach C (SQL Server - Integrated Security) The scenario that works is: My Machine (ASP.NET WEb App XP SP2) --> Mach B (ASP.NET Web Service 2003) --> Mach C (SQL Server - Integrated Security) -- Anthony Yott [quoted text, click to view] "Anthony Yott" wrote:
> Folks, > > I'm having an issue calling a .NET 2.0 Web Service using WSE 3.0 with > Kerberos Policy from an ASP.NET 2.0 Web client on a remote machine (I've > tried XP and Win 2003). I can call the web service from my local XP SP 2 > machine using a ASP.NET 2.0 client but it does not work if the client ASP.NET > web site is on another machine. The Web Service is located on a 2003 remote > machine in the domain as well so it is not located on the same machine as the > client. > > - I've setup a arbitrary SPN with a domain account for the web service and > the created an app pool to run under this identity. > > - On the Client web app I set the targetPrincipal accordingly in the policy > file > <kerberos targetPrincipal="SomeWebService/machine.domain.com" > impersonationLevel="Impersonation" /> > > - On the 2003 and XP clients web sites Integrated Windows Authentication is > ON and Anonymous is off > > - On the 2003 and XP clients we ARE impersonating <identity > impersonate="true"/> > > Can anyone help with this? I would appreciate any responses. > > I've included the error messages for both the XP and Win 2003 clients. > Again, it works if the client is local but not if the client is on another > machine. > > Thanks, > Anthony Yott > > > Remote XP Machine in same domain > ====================================================================== > System.Security.SecurityException: The Kerberos credential handle could not > be acquired. The AcquireCredentialsHandle call returned the following error > code: The parameter is incorrect. . at > Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosCredential..ctor(CredentialUse > usage) at > Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosClientContext..ctor(String > targetPrincipalName, Boolean requireMutualAuthentication, ImpersonationLevel > level) at Microsoft.Web.Services3.Security.Tokens.KerberosToken..ctor(String > targetPrincipal, ImpersonationLevel level) at > Microsoft.Web.Services3.Design.KerberosTokenProvider.GetToken() at > Microsoft.Web.Services3.Design.KerberosAssertion.ClientOutputFilter.SecureMessage(SoapEnvelope > envelope, Security security, MessageProtectionRequirements request) at > Microsoft.Web.Services3.Security.SecureConversationClientSendSecurityFilter.SecureMessage(SoapEnvelope > envelope, Security security) at > Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope > envelope) at > Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope envelope) > at Microsoft.Web.Services3.Xml.SoapEnvelopeWriter.Finish() at > Microsoft.Web.Services3.Xml.XmlWrappingWriter.Flush() at > System.Web.Services.Protocols.SoapHttpClientProtocol.Serialize(SoapClientMessage > message) at > System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String > methodName, Object[] parameters) at > Cox.Web.CryptographyManager.CryptoMgmtService.CryptoManagementServiceWse.GetIngrianAccountInformation(String& > IngrianPassword) in > C:\Dev\Webservices\zVersions\Cryptography\1.0.0.0\Applications\Web\CryptographyManager\Web > References\CryptoMgmtService\Reference.cs:line 170 at > Cox.Web.CryptographyManager.MainForm.loadIngrianSetup() in > C:\Dev\Webservices\zVersions\Cryptography\1.0.0.0\Applications\Web\CryptographyManager\MainForm.aspx.cs:line > 397 The Zone of the assembly that failed was: MyComputer > > Remote 2003 Machine in same domain > ======================================================================== > System.Security.SecurityException: The Kerberos credential handle could not > be acquired. The AcquireCredentialsHandle call returned the following error > code: A specified logon session does not exist. It may already have been > terminated. . at > Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosCredential..ctor(CredentialUse > usage) at > Microsoft.Web.Services3.Security.Tokens.Kerberos.KerberosClientContext..ctor(String > targetPrincipalName, Boolean requireMutualAuthentication, ImpersonationLevel > level) at Microsoft.Web.Services3.Security.Tokens.KerberosToken..ctor(String > targetPrincipal, ImpersonationLevel level) at > Microsoft.Web.Services3.Design.KerberosTokenProvider.GetToken() at > Microsoft.Web.Services3.Design.KerberosAssertion.ClientOutputFilter.SecureMessage(SoapEnvelope > envelope, Security security, MessageProtectionRequirements request) at > Microsoft.Web.Services3.Security.SecureConversationClientSendSecurityFilter.SecureMessage(SoapEnvelope > envelope, Security security) at > Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope > envelope) at > Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope envelope) > at Microsoft.Web.Services3.Xml.SoapEnvelopeWriter.Finish() at > Microsoft.Web.Services3.Xml.XmlWrappingWriter.Flush() at > System.Web.Services.Protocols.SoapHttpClientProtocol.Serialize(SoapClientMessage > message) at > System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String > methodName, Object[] parameters) at > Cox.Web.CryptographyManager.CryptoMgmtService.CryptoManagementServiceWse.GetIngrianAccountInformation(String& > IngrianPassword) at Cox.Web.CryptographyManager.MainForm.loadIngrianSetup()
Hey,
Iam facing the same problem, If you have resolved this, please let me know. Raj ---
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |