Alright, I've been searching around for some time and have not been
able to find anything concrete on fixing an issue I am having. Here's
the situation:
1) I have a non-anonymous webservice running on a w2k3ee sp1 server
2) I am behind a corporate firewall, but was able to get our network
services group to punch a hole at port 80 through.
3) I'm running the webservice using an impersonation to the service
account and have the pool configured to run under this account, as
well.
4) My webservice needs to go out and time stamp files, using an
external TSA, sorta like Verisign's or Comodo's Time Stamp Authority
URL.
5) The webservice executes perfectly, when a service account is logged
in on the console, however, it ceases to function when logged off.
6) (I think this is the crux of my issue...)Once the svc account has
logged in, the service runs fine without that user logged in, until the
Kerberos ticket expires and it tries to renew itself and can't grab the
user, b/c it's not logged in.
I've tried several different scenarios of having the service and/or web
site run as alternate values. (localsystem, local service, network
service, Domain service account and local service account) I've made
the accounts local admins on the box and have run ProxyCFG in both
direct mode and with current user configurations. I've also run
through different levels of impersonation (machine.config &
web.config).
Has anyone out there run into this type of issue, where the service
needs to make an external web call? I'm quite perplexed and pulling
out what's left of my hair. :)
Thanks,
-TGroten 3 2242
I had a similar issue with a website that needed to log requests to files -
but the ASP account did not have rights to create files on the {possibly
remote network} disk drive. I worked around this issue by moving the "log
request" functionaility into an Enterprise Services component and then
configuring the component to run "out of proc" under a more privileged
identity...
"to*********@de ll.com" wrote: Alright, I've been searching around for some time and have not been able to find anything concrete on fixing an issue I am having. Here's the situation:
1) I have a non-anonymous webservice running on a w2k3ee sp1 server 2) I am behind a corporate firewall, but was able to get our network services group to punch a hole at port 80 through. 3) I'm running the webservice using an impersonation to the service account and have the pool configured to run under this account, as well. 4) My webservice needs to go out and time stamp files, using an external TSA, sorta like Verisign's or Comodo's Time Stamp Authority URL. 5) The webservice executes perfectly, when a service account is logged in on the console, however, it ceases to function when logged off. 6) (I think this is the crux of my issue...)Once the svc account has logged in, the service runs fine without that user logged in, until the Kerberos ticket expires and it tries to renew itself and can't grab the user, b/c it's not logged in.
I've tried several different scenarios of having the service and/or web site run as alternate values. (localsystem, local service, network service, Domain service account and local service account) I've made the accounts local admins on the box and have run ProxyCFG in both direct mode and with current user configurations. I've also run through different levels of impersonation (machine.config & web.config).
Has anyone out there run into this type of issue, where the service needs to make an external web call? I'm quite perplexed and pulling out what's left of my hair. :)
Thanks,
-TGroten
Hi
1.I really go with todd on it but just thinking another workaround how about
creating a separate web service to access external sites or services and
call this service from your service but dont use impersonation.
2. Why service fails to grab a k ticket it should n't if it is a machine
account or the accounts u mentioned.
Check the following attributes values in the config file
processModel
comAuthenticati onLevel
comImpersonatio nLevel
useName and password
and check this article http://support.microsoft.com/default...;EN-US;Q326089
If this helps let me know. I guess delegation is not enable in your case
VMDev
<to*********@de ll.com> wrote in message
news:11******** **************@ g43g2000cwa.goo glegroups.com.. . Alright, I've been searching around for some time and have not been able to find anything concrete on fixing an issue I am having. Here's the situation:
1) I have a non-anonymous webservice running on a w2k3ee sp1 server 2) I am behind a corporate firewall, but was able to get our network services group to punch a hole at port 80 through. 3) I'm running the webservice using an impersonation to the service account and have the pool configured to run under this account, as well. 4) My webservice needs to go out and time stamp files, using an external TSA, sorta like Verisign's or Comodo's Time Stamp Authority URL. 5) The webservice executes perfectly, when a service account is logged in on the console, however, it ceases to function when logged off. 6) (I think this is the crux of my issue...)Once the svc account has logged in, the service runs fine without that user logged in, until the Kerberos ticket expires and it tries to renew itself and can't grab the user, b/c it's not logged in.
I've tried several different scenarios of having the service and/or web site run as alternate values. (localsystem, local service, network service, Domain service account and local service account) I've made the accounts local admins on the box and have run ProxyCFG in both direct mode and with current user configurations. I've also run through different levels of impersonation (machine.config & web.config).
Has anyone out there run into this type of issue, where the service needs to make an external web call? I'm quite perplexed and pulling out what's left of my hair. :)
Thanks,
-TGroten
Even this may be of little help https://blogs.msdn.com/dansellers/archive/2004/03.aspx
especially this part
Generally, it's not a good idea to run all code while impersonating. This
can lead to some weird problems with permissions on kernel objects (threads,
processes, named synchronization objects) that get created while
impersonating. It also prevents efficient database connection pooling.
If you really need to impersonate the authenticated user, a better approach
might be to do it manually as described here: http://support.microsoft.com/?id=306158
System.Security .Principal.Wind owsImpersonatio nContext impersonationCo ntext;
impersonationCo ntext =
((System.Securi ty.Principal.Wi ndowsIdentity)U ser.Identity).I mpersonate();
//Insert your code that runs under the security context of the
authenticating user here.
impersonationCo ntext.Undo();
good luck
<to*********@de ll.com> wrote in message
news:11******** **************@ g43g2000cwa.goo glegroups.com.. . Alright, I've been searching around for some time and have not been able to find anything concrete on fixing an issue I am having. Here's the situation:
1) I have a non-anonymous webservice running on a w2k3ee sp1 server 2) I am behind a corporate firewall, but was able to get our network services group to punch a hole at port 80 through. 3) I'm running the webservice using an impersonation to the service account and have the pool configured to run under this account, as well. 4) My webservice needs to go out and time stamp files, using an external TSA, sorta like Verisign's or Comodo's Time Stamp Authority URL. 5) The webservice executes perfectly, when a service account is logged in on the console, however, it ceases to function when logged off. 6) (I think this is the crux of my issue...)Once the svc account has logged in, the service runs fine without that user logged in, until the Kerberos ticket expires and it tries to renew itself and can't grab the user, b/c it's not logged in.
I've tried several different scenarios of having the service and/or web site run as alternate values. (localsystem, local service, network service, Domain service account and local service account) I've made the accounts local admins on the box and have run ProxyCFG in both direct mode and with current user configurations. I've also run through different levels of impersonation (machine.config & web.config).
Has anyone out there run into this type of issue, where the service needs to make an external web call? I'm quite perplexed and pulling out what's left of my hair. :)
Thanks,
-TGroten This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Daniel |
last post by:
My windows service runs under the system account but the system account
can't see a domain on the LAN. Is there some sort of permissions that have
to be set for the system account to see the domain on the lan? my user
account when i log onto my own machine can see it but my serivce that runs
in system account can not.
|
by: pberna |
last post by:
Dear all,
I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorization to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)
Although I'm able to start a service using windows 2000 server...
|
by: Bruce |
last post by:
I am developing an ASP.NET web service application. It works fine on my
WinXP Prof development machine. But when I send it to a Windows Server 2003
system I get the following error (attached below).
I suppose I have some kind of permissions issue on the server? What
recommendations can anyone propose?
Thanks,
-- Bruce
|
by: nobody101 |
last post by:
I have a web service configured with Anonymous access disabled.
The calling client, prior to executing a method on the service,
sets its network credentials for the IIS to authenticate:
CredentialCache cacheVU = new CredentialCache();
cacheVU.Add( new Uri(<my url here>), "Negotiate",new
NetworkCredential( Username, Password, Domain) );
WebServiceProxy.Credentials = cacheVU;
|
by: TheBurgerMan |
last post by:
Hi all. I am using W2K3, .NET2 on a machine running AD and Exchange. I
started getting the message below last week. I googled the error and not
much was returned, but I did find this;
http://forums.asp.net/918725/ShowPost.aspx
I tried both items in the forum and it works for a few hits then it happens
again!
Anyone have the same problem? How do I fix this?
| |
by: RdS |
last post by:
Hello,
I use sourcesafe and vb 2003 for my dev environment. on the sourcesafe
server I also have sql2005 and reporting services installed. The web app
references this sql server for db. When I compile the app on my local
machine which is used for development I am able to lauch application with no
problem. When I run my web app on my local machine which uses my IIS 5
(WinXP Pro) the application runs fine. But if I connect to server...
|
by: Goran Djuranovic |
last post by:
Hi all,
I have a web app running on a local PC that can start and stop windows service on a remote machine, but only when I browse to it locally. If I browse to it from my other PC and try to start/stop the service, it gives me "Cannot open Service Control Manager on computer 'xxx.xxx.xxx.xxx'. This operation might require other privileges." error.
Helpfull info:
- I am an admin on all 3 PCs
- web app is using "Windows" authentication...
|
by: JamesB |
last post by:
I am writing a service that monitors when a particular app is started.
Works, but I need to get the user who is currently logged in, and of course
Environment.UserName returns the service logon (NT_AUTHORITY\SYSTEM).
I understand that when the service starts, no user may be logged in, but
that's ok, as the app I am monitoring can only be run by a logged in user.
Do I need to use WMI to get the user context of Explorer.exe or is there a...
|
by: Wing |
last post by:
Hello fellow programmers. I am writing a desktop application that will allow our IT department to execute commands on remote computers. I had originally found a post that has a two part program that was working nicely
for half our computers. It seems that when the remote portion (which is a service) is running other programs will get hung up. We have to go into Services and Stop the service. Once this is done, all other programs execute...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |