473,387 Members | 1,374 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > c# / c sharp > questions > kerberos authentication

Join Bytes to post your question to a community of 473,387 software developers and data experts.

kerberos authentication

Hi,

I am trying to secure a WS using WSE 3.0 and kerberos.
I used the "WSE 3.0 settings" from VS2005 with my own WS.
I have a console application which try to access a WS.
With the following configuration it works:
- WS/IIS and AD on the Windows 2003 server
- console application on a Windows XP workstation
With the following configuration it fails:
- AD on a Windows 2003 server
- console application and WS/IIS on a Windows XP workstation
Here is the error messages:
" Server unavailable, please try later"
"An error
occured processing an outgoing fault response. --->
System.Web.Services.Protocols.SoapHeaderException:
Microsoft.Web.Services3.Security.SecurityFault: SecurityContextToken is

expected but not present in the security header of the incoming
message. "
"An invalid security token was provided"
"AcceptSecurityContext call failed with the following
error message: Logon failure: unknown user name or bad password."
I have done a lot of search with google, so here is what I did:
- I have set ASPNET to act as the operating system =problem not
solved
- I have updated web.config to use another user (instead of ASPNET)
from the domain (mydomain\myuser) =problem not solved
What could be the problem??
Do I need to set some specific configuration on AD ??
Thanks for your help
Rod

Jan 11 '07 #1
4 7348
"webrod" <ro**************@gmail.comwrote in message
news:11**********************@o58g2000hsb.googlegr oups.com...
Hi,

I am trying to secure a WS using WSE 3.0 and kerberos.
I used the "WSE 3.0 settings" from VS2005 with my own WS.
I have a console application which try to access a WS.
With the following configuration it works:
- WS/IIS and AD on the Windows 2003 server
- console application on a Windows XP workstation
With the following configuration it fails:
- AD on a Windows 2003 server
- console application and WS/IIS on a Windows XP workstation
Here is the error messages:
" Server unavailable, please try later"
"An error
occured processing an outgoing fault response. --->
System.Web.Services.Protocols.SoapHeaderException:
Microsoft.Web.Services3.Security.SecurityFault: SecurityContextToken is

expected but not present in the security header of the incoming
message. "
"An invalid security token was provided"
"AcceptSecurityContext call failed with the following
error message: Logon failure: unknown user name or bad password."
I have done a lot of search with google, so here is what I did:
- I have set ASPNET to act as the operating system =problem not
solved
- I have updated web.config to use another user (instead of ASPNET)
from the domain (mydomain\myuser) =problem not solved
What could be the problem??
Do I need to set some specific configuration on AD ??
Thanks for your help
Rod

Kerberos is a NETWORK authentication protocol, that is, it only works across networks, your
client and server (IIS) are running on the same server, that means Kerberos won't be used,
more, there is probably no authentication handshake needed, the client may be already
authenticated and have his token (ticket) cached by the local LSA (provided he's Kerberos
authenticated and not NTLM).
For the same reason it's also discouraged to run IIS (or whatever other service) on the DC
(running AD), many have been bitten by the fact that authentication fails or doesn't work as
expected because both entities aren't connected over a network.

WSE is a web based services infrastructure, you should set-up a test environment with
separate entities when performing security testing .

Willy.
PS. Before we start another endless thread, I would ask you to post WSE 3.0 questions/issues
to the forum at: <http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=46&SiteID=1>
AD related issues are better posted to one of the many directory related NG's like:
Microsoft.public.active.directory.interfaces

Jan 11 '07 #2
thanks willy,

actually, you said that IIS should not be on the AD server, and that
the client should not be on the same server as IIS.
Si I ran the client from the AD server and uses IIS on the XP
workstation.
I got the same error message.
For the time being, I can only use 2 PC for my test, my IT team provide
me a separate network for my test with only 2 pc (this is because the
main network is base on NT and IT policy disallow a AD directory within
this network!!)

I have posted the same message here
<http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=46&SiteID=1>
as you said.

Rod

Jan 12 '07 #3
"webrod" <ro**************@gmail.comwrote in message
news:11*********************@q2g2000cwa.googlegrou ps.com...
thanks willy,

actually, you said that IIS should not be on the AD server, and that
the client should not be on the same server as IIS.
The most important is that you separate the client from the service, that is run the client
on XP and IIS on the server, the fact that IIS and AD are on the same server is something to
watch for when accessing resources (file servers etc..) from IIS or your web applications
hosted by IIS. In your case it's the best you can get, and it's a working configuration,
right?
Si I ran the client from the AD server and uses IIS on the XP
workstation.
I got the same error message.
For the time being, I can only use 2 PC for my test, my IT team provide
me a separate network for my test with only 2 pc (this is because the
main network is base on NT and IT policy disallow a AD directory within
this network!!)

I have posted the same message here
<http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=46&SiteID=1>
as you said.
Ok, I'll try to follow-up.

Willy.

Jan 12 '07 #4
The most important is that you separate the client from the service, that is run the client
on XP and IIS on the server, [...]In your case it's the best you can get, and it's a working configuration,
right?
yes, but I am wondering if it's not a "too easy" configuration (IIS and
AD on the same server).
So, OK it works, but in the "real life", AD will be on a separate
server.

That's why I wanted to test with IIS on a separate server (on my
workstation PC) and with this configuration I have the error message.

I'll try to get a third machine...

Thanks for your help

Rod

Jan 12 '07 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
Kerberos authentication w/ Python on Windows
by: Brian Beck | last post by:
After a bit of searching I haven't been able to find a definite resource for Kerberos authentication from Python. Any help would be appreciated. Here's what I've found... ...
Python
3
IIS Remote Content and Kerberos Delegation
by: Jacob | last post by:
Hello All, I am trying to serve out some content via IIS that is hosted on a remote fileserver, and am unable to get the delegation working correctly. Our setup is as follows: Local LAN...
ASP / Active Server Pages
0
ServerXMLHTTP Kerberos Principal "0"
by: Paul Bacelar | last post by:
I have a problem with Windows integrated authentication and Kerberos. I use the object COM ServerXMLHTTP of MSXML3. On the Open method which requires the login password of the user, I use NULL and...
.NET Framework
2
Kerberos Authentication
by: josh | last post by:
Hello Sharepoint Guru's, I have hit a bit of a brick wall in regards to Kerberos authentication. I have an ASP.Net web application that interfaces with sharepoint, this all works fine if I do...
ASP.NET
0
WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account
by: CESAR DE LA TORRE [MVP] | last post by:
I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005 client) to Server Tier through our Web...
.NET Framework
1
IE falls back to NTLM -- won't use Kerberos
by: russell.lane | last post by:
I've established user login identity impersonation and delegation for a multi-tier web application. I'm running into a case where authentication fails when a user accesses the app from a browser...
.NET Framework
0
Problem with Kerberos authentication
by: Benjamin Gufler | last post by:
Hello NG, I'm experiencing problems in configuring DB2 v9.1 on Linux (RedHat AS4) to use Kerberos authentication against an AD (W2K3 R2). IBM Network Authentication Service is installed and...
DB2 Database
1
Kerberos Authentication for ASP.Net?
by: Tina | last post by:
I have a client that wants his new asp.net app to be authenticated using Kerberos instead of forms authentication. I used Kerberos years ago for logon security for users to long on to NT. However...
ASP.NET
2
Kerberos headache
by: Tapio Kulmala | last post by:
Hi! I've found an interesting problem that might have something to do with Kerberos. I have a www application running in a Windows Server 2003 box. The server did not have SP1 or SP2...
.NET Framework
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!