471,594 Members | 1,958 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,594 software developers and data experts.

WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account

I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos
authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005
client) to Server Tier through our Web Services (based on WSE 3.0).

Having our WSE 3.0-WebService over Windows Server 2003, everything works
great, but, over Windows XP, I have a problem (which is documented in WSE
3.0 help) but its workaround does not work properly (at least with my
current testing).

The problem is that ASP.NET default user in Windows XP (ASPNET user account)
does not have privileges enough for running Kerberos authentication over WSE
3.0 Web Services, so, by default, using ASPNET account, it does not work (we
get WSE910 exception).

There is a MSFT sample where you can test it (WSSecurityKerberos) provided
with WSE 3.0 Setup.

Also, WSE samples Help documentation says the same, and gives a workaround:
================================================== ================================================== ================================================== ===============
Running the Kerberos Sample - WSSecurityKerberos
On Microsoft® Windows® XP and Microsoft® Windows® 2000 Server, the Kerberos
Security sample (WSSecurityKerberos) requires additional higher privilege
settings for the ASPNET account. There are several ways to enable this. One
is to give ASPNET account "Act as part of Operating System" privilege using
Local Security Setting, and then reboot the system. Another alternative is
to modify machine.config by setting the username attribute equal to "system"
in the ProcessModel element, and then reset IIS.

NOTE: By default the policy version of the WSSecurityKerberos does not work
and throws an exception. This is because the machine name where the service
is running needs to be updated in the wse3policyCache.config in the
WSSecurityKerberosPolicyClient project to the machine where the service is
================================================== ================================================== ================================================== ===============

Using SYSTEM account as aspnet_wp.exe WinXP-IIS pool process identity
(changing machine.config) with WSE 3.0-Kerberos over Windows XP, does work
properly, BUT, the problem we have is that we DO NEED to run our XML Web
Service with any account (like ASPNET) except SYSTEM account (because we'll
need to use also AzMan / Authentication Manager and it does not work with
SYSTEM account over Windows XP, but this shouldn't be part of this
question.). The behaviour I am describing you can reproduce it just with
WSSecurityKerberos sample, without using AzMan within the same project.

So, taking a simple look, our solution would be changing ASPNET privileges,
enabling it to "Act as part of Operating System", using its Local Policy
"Act as part of Operating System".

BUT, we have made it, rebooted the machine, but it does not work at all (we
get same exception). I have tested it in several Windows XP-SP2 machines
with no luck. So, do we need to do anything else to make it work with ASPNET
account?. (We already gave ASPNET account "Act as part of Operating System"
privilege using Local Security Setting).

Down below you can read my different environments:

Development Environment:
- Windows XP - SP2 (English US)
- Visual Studio 2005 Team Developer Edition (English US)
- WSE 3.0 (English US)
- IIS as Web server (it seems WSE does not work with cassini
(VS.2005 Web Server).)

Future Production Environment
On the other hand, as I said, WSE 3.0-Kerberos works properly with Windows
Server 2003-SP1 and IIS 6.0 Pool process (w3wp.exe) default identity

So, to sum up:
Do I need to do anything else to make WSE 3.0 work with ASPNET account over
Windows XP - SP2? (I already gave ASPNET account "Act as part of Operating
System" privilege using Local Security Setting and re-booted my machines).

Thanks in advanced,

César de la Torre
[Microsoft MVP - XML Web Services]
Software Architect

Microsoft GOLD Certifed Partner
Dec 21 '05 #1
0 2176

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Paul D. Fox | last post: by
1 post views Thread by Michael Maes | last post: by
3 posts views Thread by Nikhil Patel | last post: by
3 posts views Thread by Doctor Who | last post: by
7 posts views Thread by M. Simioni | last post: by
4 posts views Thread by palakwai_919 | last post: by
3 posts views Thread by musosdev | last post: by
5 posts views Thread by Paul Aspinall | last post: by
reply views Thread by XIAOLAOHU | last post: by
reply views Thread by leo001 | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.