473,224 Members | 1,292 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,224 software developers and data experts.

WSE 3.0 Kerberos Auth and issue with Windows XP ASPNET Account

I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos
authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005
client) to Server Tier through our Web Services (based on WSE 3.0).

Having our WSE 3.0-WebService over Windows Server 2003, everything works
great, but, over Windows XP, I have a problem (which is documented in WSE
3.0 help) but its workaround does not work properly (at least with my
current testing).

The problem is that ASP.NET default user in Windows XP (ASPNET user account)
does not have privileges enough for running Kerberos authentication over WSE
3.0 Web Services, so, by default, using ASPNET account, it does not work (we
get WSE910 exception).

There is a MSFT sample where you can test it (WSSecurityKerberos) provided
with WSE 3.0 Setup.

Also, WSE samples Help documentation says the same, and gives a workaround:
================================================== ================================================== ================================================== ===============
Running the Kerberos Sample - WSSecurityKerberos
On Microsoft® Windows® XP and Microsoft® Windows® 2000 Server, the Kerberos
Security sample (WSSecurityKerberos) requires additional higher privilege
settings for the ASPNET account. There are several ways to enable this. One
is to give ASPNET account "Act as part of Operating System" privilege using
Local Security Setting, and then reboot the system. Another alternative is
to modify machine.config by setting the username attribute equal to "system"
in the ProcessModel element, and then reset IIS.

NOTE: By default the policy version of the WSSecurityKerberos does not work
and throws an exception. This is because the machine name where the service
is running needs to be updated in the wse3policyCache.config in the
WSSecurityKerberosPolicyClient project to the machine where the service is
installed.
================================================== ================================================== ================================================== ===============

Using SYSTEM account as aspnet_wp.exe WinXP-IIS pool process identity
(changing machine.config) with WSE 3.0-Kerberos over Windows XP, does work
properly, BUT, the problem we have is that we DO NEED to run our XML Web
Service with any account (like ASPNET) except SYSTEM account (because we'll
need to use also AzMan / Authentication Manager and it does not work with
SYSTEM account over Windows XP, but this shouldn't be part of this
question.). The behaviour I am describing you can reproduce it just with
WSSecurityKerberos sample, without using AzMan within the same project.

So, taking a simple look, our solution would be changing ASPNET privileges,
enabling it to "Act as part of Operating System", using its Local Policy
"Act as part of Operating System".

BUT, we have made it, rebooted the machine, but it does not work at all (we
get same exception). I have tested it in several Windows XP-SP2 machines
with no luck. So, do we need to do anything else to make it work with ASPNET
account?. (We already gave ASPNET account "Act as part of Operating System"
privilege using Local Security Setting).

Down below you can read my different environments:

Development Environment:
- Windows XP - SP2 (English US)
- Visual Studio 2005 Team Developer Edition (English US)
- WSE 3.0 (English US)
- IIS as Web server (it seems WSE does not work with cassini
(VS.2005 Web Server).)

Future Production Environment
On the other hand, as I said, WSE 3.0-Kerberos works properly with Windows
Server 2003-SP1 and IIS 6.0 Pool process (w3wp.exe) default identity
(NETWORK SERVICE).

So, to sum up:
Do I need to do anything else to make WSE 3.0 work with ASPNET account over
Windows XP - SP2? (I already gave ASPNET account "Act as part of Operating
System" privilege using Local Security Setting and re-booted my machines).

Thanks in advanced,

César de la Torre
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]
Software Architect

Renacimiento
Microsoft GOLD Certifed Partner
Dec 21 '05 #1
0 2259

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Paul D. Fox | last post by:
Hi I'm running Windows Server 2003 as a Domain Controller (with Active Directory) as a development server. I created an app that uploads graphics but it doesn't have permission. ASPNET machine...
1
by: Michael Maes | last post by:
Hello, I can't get the ASPNET-Account installed on a Windows 2000 (5.00.2195) Server SP4 Domain Controller. I always receive "Web Server not running ASP.NET version 1.1" when I try to start a...
3
by: Nikhil Patel | last post by:
Hi all, I have written a web application that connects to Sql Server. I am using Windows Authentication with ASPNET local account. Do you think I should explicitly set the password for ASPNET or...
3
by: Doctor Who | last post by:
I am running a Windows 2003 Server w/Framework 1.1 loaded. We have built a ..NET 2003 app and it requires that ASPNET be assigned permissions to several folders and servcies. The ASPNET account...
7
by: M. Simioni | last post by:
Hi, i'm always auditing ASPNET's account accesses on my webserver, a WIN2K_SP4 + IIS5 + SQLServer2K_SP3a machine. Nearly all the applications work correctly, but i constantly find a message in...
4
by: palakwai_919 | last post by:
We have a Windows 2000 server with Beta 2 of the 2.0 Framework installed and the 1.1 Framework. For some odd reason when we hit our 2.0 Framework application we get the following error: Server...
3
by: musosdev | last post by:
Hi guys I've just noticed I don't have an ASPNET user account running on either my Workstation or Server (both running .net2.0, workstation has vs2005 pro). Simple question... should it be...
5
by: Paul Aspinall | last post by:
Hi I am trying to print, server side, from my web application. I'm getting problems, as my ASPNET account is a local account, and is not trusted on the domain to print to printers (ie. does not...
7
by: torus | last post by:
Is the aspnet account called "aspnet" for all non-English versions of Windows and IIS?
0
by: veera ravala | last post by:
ServiceNow is a powerful cloud-based platform that offers a wide range of services to help organizations manage their workflows, operations, and IT services more efficiently. At its core, ServiceNow...
0
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
0
by: mar23 | last post by:
Here's the situation. I have a form called frmDiceInventory with subform called subfrmDice. The subform's control source is linked to a query called qryDiceInventory. I've been trying to pick up the...
2
by: jimatqsi | last post by:
The boss wants the word "CONFIDENTIAL" overlaying certain reports. He wants it large, slanted across the page, on every page, very light gray, outlined letters, not block letters. I thought Word Art...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.