Alright, I've been searching around for some time and have not been
able to find anything concrete on fixing an issue I am having. Here's
the situation:
1) I have a non-anonymous webservice running on a w2k3ee sp1 server
2) I am behind a corporate firewall, but was able to get our network
services group to punch a hole at port 80 through.
3) I'm running the webservice using an impersonation to the service
account and have the pool configured to run under this account, as
well.
4) My webservice needs to go out and time stamp files, using an
external TSA, sorta like Verisign's or Comodo's Time Stamp Authority
URL.
5) The webservice executes perfectly, when a service account is logged
in on the console, however, it ceases to function when logged off.
6) (I think this is the crux of my issue...)Once the svc account has
logged in, the service runs fine without that user logged in, until the
Kerberos ticket expires and it tries to renew itself and can't grab the
user, b/c it's not logged in.
I've tried several different scenarios of having the service and/or web
site run as alternate values. (localsystem, local service, network
service, Domain service account and local service account) I've made
the accounts local admins on the box and have run ProxyCFG in both
direct mode and with current user configurations. I've also run
through different levels of impersonation (machine.config &
web.config).
Has anyone out there run into this type of issue, where the service
needs to make an external web call? I'm quite perplexed and pulling
out what's left of my hair. :)
Thanks,
-TGroten
3  2222 
I had a similar issue with a website that needed to log requests to files -
but the ASP account did not have rights to create files on the {possibly
remote network} disk drive. I worked around this issue by moving the "log
request" functionaility into an Enterprise Services component and then
configuring the component to run "out of proc" under a more privileged
identity...
"to*********@dell.com" wrote: Alright, I've been searching around for some time and have not been
able to find anything concrete on fixing an issue I am having. Here's
the situation:
1) I have a non-anonymous webservice running on a w2k3ee sp1 server
2) I am behind a corporate firewall, but was able to get our network
services group to punch a hole at port 80 through.
3) I'm running the webservice using an impersonation to the service
account and have the pool configured to run under this account, as
well.
4) My webservice needs to go out and time stamp files, using an
external TSA, sorta like Verisign's or Comodo's Time Stamp Authority
URL.
5) The webservice executes perfectly, when a service account is logged
in on the console, however, it ceases to function when logged off.
6) (I think this is the crux of my issue...)Once the svc account has
logged in, the service runs fine without that user logged in, until the
Kerberos ticket expires and it tries to renew itself and can't grab the
user, b/c it's not logged in.
I've tried several different scenarios of having the service and/or web
site run as alternate values. (localsystem, local service, network
service, Domain service account and local service account) I've made
the accounts local admins on the box and have run ProxyCFG in both
direct mode and with current user configurations. I've also run
through different levels of impersonation (machine.config &
web.config).
Has anyone out there run into this type of issue, where the service
needs to make an external web call? I'm quite perplexed and pulling
out what's left of my hair. :)
Thanks,
-TGroten
Hi
1.I really go with todd on it but just thinking another workaround how about
creating a separate web service to access external sites or services and
call this service from your service but dont use impersonation.
2. Why service fails to grab a k ticket it should n't if it is a machine
account or the accounts u mentioned.
Check the following attributes values in the config file
processModel
comAuthenticationLevel
comImpersonationLevel
useName and password
and check this article http://support.microsoft.com/default...;EN-US;Q326089
If this helps let me know. I guess delegation is not enable in your case
VMDev
<to*********@dell.com> wrote in message
news:11**********************@g43g2000cwa.googlegr oups.com... Alright, I've been searching around for some time and have not been
able to find anything concrete on fixing an issue I am having. Here's
the situation:
1) I have a non-anonymous webservice running on a w2k3ee sp1 server
2) I am behind a corporate firewall, but was able to get our network
services group to punch a hole at port 80 through.
3) I'm running the webservice using an impersonation to the service
account and have the pool configured to run under this account, as
well.
4) My webservice needs to go out and time stamp files, using an
external TSA, sorta like Verisign's or Comodo's Time Stamp Authority
URL.
5) The webservice executes perfectly, when a service account is logged
in on the console, however, it ceases to function when logged off.
6) (I think this is the crux of my issue...)Once the svc account has
logged in, the service runs fine without that user logged in, until the
Kerberos ticket expires and it tries to renew itself and can't grab the
user, b/c it's not logged in.
I've tried several different scenarios of having the service and/or web
site run as alternate values. (localsystem, local service, network
service, Domain service account and local service account) I've made
the accounts local admins on the box and have run ProxyCFG in both
direct mode and with current user configurations. I've also run
through different levels of impersonation (machine.config &
web.config).
Has anyone out there run into this type of issue, where the service
needs to make an external web call? I'm quite perplexed and pulling
out what's left of my hair. :)
Thanks,
-TGroten
Even this may be of little help https://blogs.msdn.com/dansellers/archive/2004/03.aspx
especially this part
Generally, it's not a good idea to run all code while impersonating. This
can lead to some weird problems with permissions on kernel objects (threads,
processes, named synchronization objects) that get created while
impersonating. It also prevents efficient database connection pooling.
If you really need to impersonate the authenticated user, a better approach
might be to do it manually as described here: http://support.microsoft.com/?id=306158
System.Security.Principal.WindowsImpersonationCont ext impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.I dentity).Impersonate();
//Insert your code that runs under the security context of the
authenticating user here.
impersonationContext.Undo();
good luck
<to*********@dell.com> wrote in message
news:11**********************@g43g2000cwa.googlegr oups.com... Alright, I've been searching around for some time and have not been
able to find anything concrete on fixing an issue I am having. Here's
the situation:
1) I have a non-anonymous webservice running on a w2k3ee sp1 server
2) I am behind a corporate firewall, but was able to get our network
services group to punch a hole at port 80 through.
3) I'm running the webservice using an impersonation to the service
account and have the pool configured to run under this account, as
well.
4) My webservice needs to go out and time stamp files, using an
external TSA, sorta like Verisign's or Comodo's Time Stamp Authority
URL.
5) The webservice executes perfectly, when a service account is logged
in on the console, however, it ceases to function when logged off.
6) (I think this is the crux of my issue...)Once the svc account has
logged in, the service runs fine without that user logged in, until the
Kerberos ticket expires and it tries to renew itself and can't grab the
user, b/c it's not logged in.
I've tried several different scenarios of having the service and/or web
site run as alternate values. (localsystem, local service, network
service, Domain service account and local service account) I've made
the accounts local admins on the box and have run ProxyCFG in both
direct mode and with current user configurations. I've also run
through different levels of impersonation (machine.config &
web.config).
Has anyone out there run into this type of issue, where the service
needs to make an external web call? I'm quite perplexed and pulling
out what's left of my hair. :)
Thanks,
-TGroten This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Daniel |
last post by:
My windows service runs under the system account but the system account
can't see a domain on the LAN. Is there some sort of permissions that have
to be set for the system account to see the domain...
|
by: pberna |
last post by:
Dear all,
I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the...
|
by: Bruce |
last post by:
I am developing an ASP.NET web service application. It works fine on my
WinXP Prof development machine. But when I send it to a Windows Server 2003
system I get the following error (attached...
|
by: nobody101 |
last post by:
I have a web service configured with Anonymous access disabled.
The calling client, prior to executing a method on the service,
sets its network credentials for the IIS to authenticate:
...
|
by: TheBurgerMan |
last post by:
Hi all. I am using W2K3, .NET2 on a machine running AD and Exchange. I
started getting the message below last week. I googled the error and not
much was returned, but I did find this;...
|
by: RdS |
last post by:
Hello,
I use sourcesafe and vb 2003 for my dev environment. on the sourcesafe
server I also have sql2005 and reporting services installed. The web app
references this sql server for db. When...
|
by: Goran Djuranovic |
last post by:
Hi all,
I have a web app running on a local PC that can start and stop windows service on a remote machine, but only when I browse to it locally. If I browse to it from my other PC and try to...
|
by: JamesB |
last post by:
I am writing a service that monitors when a particular app is started.
Works, but I need to get the user who is currently logged in, and of course
Environment.UserName returns the service logon...
|
by: Wing |
last post by:
Hello fellow programmers. I am writing a desktop application that will allow our IT department to execute commands on remote computers. I had originally found a post that has a two part program that...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
