accessing WebService from asp.net App on load balanced Servers

Discussion in 'ASP .Net Security' started by Jason, Nov 27, 2005.

  1. Jason

    Jason Guest

    Hi,

    I have an ASP.Net application that retrieves Data from a Web Service. When
    the Web service resides on the same server I have no problem and the asp.net
    page functions as expected. I am using impersonation and the credentials are
    being passed to the web service as expected.

    Now, when the web service resides on a different server the credentials are
    not passed to the webservice and the asp application receives a 401 Error. I
    have seen emails about using kerberos but have not been successful in getting
    it to work. Could this be because I am using Load balanced servers? (Using
    Application Server) I thought this worked when using Windows 2000 Server but
    I am now using Windows 2003 Server. Can you tell me What specific steps I
    need to take for my asp.net application to function and retrieve content from
    a web service passing the credentials of the original user using the asp.net
    application??
    Thanks
    Jason
    Jason, Nov 27, 2005
    #1
    1. Advertising

  2. Hi Jason,

    Welcome to asp.net newsgroup.
    From your description,you're accessing an ASP.NET webservice from an
    asp.net webapplication, the the web application
    turn on impesonate so as to use the client user's credential to access the
    webservice(authenticated protected...)
    However, he found that this worked only when the webservice is on the same
    machine with the web applicaiton...
    Elsewise, you'll get 401 error, yes?

    Based on my experience, this problem is caused by the limitation of normal
    windows NTLM authentication's generated logon session. By default the
    asp.net implicit impersonated client logon session are network logon
    sessions, they have not network credentials. So it is ok for accessing
    protected resources on the same box (with the asp.net web application...),
    however, when try accessing some remote protected resources... we'll get
    access error since no security credential is sent (network logon on session
    can not be forwarded to remote machine...). This is a typical double hop
    limit...

    So as for your scenario, the most recommended and simplest means is to use
    a fixed privileged account to access the remote webservice in your asp.net
    web application (avoid using the implict impersonated client user's
    credential....). Or you can consider still maintain the webservice on the
    same server with the asp.net web app....
    And for the Kerberos you mentioned, yes, it is possible to configure
    kerberos delegation between client and our asp.net webapplication so as to
    establish kerberos ticket which can be forwarded to multiple remote
    machine(mulitple hops...), but using kerberos delegation may require
    complex configuration on both client side (browser ) and serverside
    (including asp.net web app's server and webservice's server , also the
    win2k or win2003 domain.....), so we do not recommend using this approach
    ......

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)

    --------------------
    | Thread-Topic: accessing WebService from asp.net App on load balanced
    Servers
    | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
    | X-WBNR-Posting-Host: 134.134.136.1
    | From: "=?Utf-8?B?SmFzb24=?=" <>
    | Subject: accessing WebService from asp.net App on load balanced Servers
    | Date: Sun, 27 Nov 2005 00:38:01 -0800
    | Lines: 19
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:16428
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    |
    | Hi,
    |
    | I have an ASP.Net application that retrieves Data from a Web Service.
    When
    | the Web service resides on the same server I have no problem and the
    asp.net
    | page functions as expected. I am using impersonation and the credentials
    are
    | being passed to the web service as expected.
    |
    | Now, when the web service resides on a different server the credentials
    are
    | not passed to the webservice and the asp application receives a 401
    Error. I
    | have seen emails about using kerberos but have not been successful in
    getting
    | it to work. Could this be because I am using Load balanced servers?
    (Using
    | Application Server) I thought this worked when using Windows 2000 Server
    but
    | I am now using Windows 2003 Server. Can you tell me What specific steps I
    | need to take for my asp.net application to function and retrieve content
    from
    | a web service passing the credentials of the original user using the
    asp.net
    | application??
    | Thanks
    | Jason
    |
    |
    Steven Cheng[MSFT], Nov 28, 2005
    #2
    1. Advertising

  3. Jason

    Jason Guest

    Steven,

    Thanks for your response. Unfortunately landing the web service on the same
    server as the asp.net application is not an option. Neither is using a
    hardcoded ID as the web service recognizes the user and sets the response
    appropriately. I am amazed that there is no other option. Does the 2.0
    framework change anything? I have tried to create an assembly using
    EnterpriseServices to handle the impersonation also but it still will not
    send the users credentials.. Can you confirm with your colleages if this is
    possible with the current framework? or not? This problem seems to remove the
    benefit of using a Web Service for the back end data provider...

    Thanks
    Jason


    "Steven Cheng[MSFT]" wrote:

    > Hi Jason,
    >
    > Welcome to asp.net newsgroup.
    > From your description,you're accessing an ASP.NET webservice from an
    > asp.net webapplication, the the web application
    > turn on impesonate so as to use the client user's credential to access the
    > webservice(authenticated protected...)
    > However, he found that this worked only when the webservice is on the same
    > machine with the web applicaiton...
    > Elsewise, you'll get 401 error, yes?
    >
    > Based on my experience, this problem is caused by the limitation of normal
    > windows NTLM authentication's generated logon session. By default the
    > asp.net implicit impersonated client logon session are network logon
    > sessions, they have not network credentials. So it is ok for accessing
    > protected resources on the same box (with the asp.net web application...),
    > however, when try accessing some remote protected resources... we'll get
    > access error since no security credential is sent (network logon on session
    > can not be forwarded to remote machine...). This is a typical double hop
    > limit...
    >
    > So as for your scenario, the most recommended and simplest means is to use
    > a fixed privileged account to access the remote webservice in your asp.net
    > web application (avoid using the implict impersonated client user's
    > credential....). Or you can consider still maintain the webservice on the
    > same server with the asp.net web app....
    > And for the Kerberos you mentioned, yes, it is possible to configure
    > kerberos delegation between client and our asp.net webapplication so as to
    > establish kerberos ticket which can be forwarded to multiple remote
    > machine(mulitple hops...), but using kerberos delegation may require
    > complex configuration on both client side (browser ) and serverside
    > (including asp.net web app's server and webservice's server , also the
    > win2k or win2003 domain.....), so we do not recommend using this approach
    > ......
    >
    > Thanks,
    >
    > Steven Cheng
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    > --------------------
    > | Thread-Topic: accessing WebService from asp.net App on load balanced
    > Servers
    > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
    > | X-WBNR-Posting-Host: 134.134.136.1
    > | From: "=?Utf-8?B?SmFzb24=?=" <>
    > | Subject: accessing WebService from asp.net App on load balanced Servers
    > | Date: Sun, 27 Nov 2005 00:38:01 -0800
    > | Lines: 19
    > | Message-ID: <>
    > | MIME-Version: 1.0
    > | Content-Type: text/plain;
    > | charset="Utf-8"
    > | Content-Transfer-Encoding: 7bit
    > | X-Newsreader: Microsoft CDO for Windows 2000
    > | Content-Class: urn:content-classes:message
    > | Importance: normal
    > | Priority: normal
    > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > | Xref: TK2MSFTNGXA02.phx.gbl
    > microsoft.public.dotnet.framework.aspnet.security:16428
    > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > |
    > | Hi,
    > |
    > | I have an ASP.Net application that retrieves Data from a Web Service.
    > When
    > | the Web service resides on the same server I have no problem and the
    > asp.net
    > | page functions as expected. I am using impersonation and the credentials
    > are
    > | being passed to the web service as expected.
    > |
    > | Now, when the web service resides on a different server the credentials
    > are
    > | not passed to the webservice and the asp application receives a 401
    > Error. I
    > | have seen emails about using kerberos but have not been successful in
    > getting
    > | it to work. Could this be because I am using Load balanced servers?
    > (Using
    > | Application Server) I thought this worked when using Windows 2000 Server
    > but
    > | I am now using Windows 2003 Server. Can you tell me What specific steps I
    > | need to take for my asp.net application to function and retrieve content
    > from
    > | a web service passing the credentials of the original user using the
    > asp.net
    > | application??
    > | Thanks
    > | Jason
    > |
    > |
    >
    >
    Jason, Nov 28, 2005
    #3
  4. Thanks for your response Jason,

    Actually, this limit is due to the windows NTLM authentication which dosn't
    allow an authenticated logon session to double hop multpile machines. So
    the client implicit impersonated credential can only access asp.net
    server's protected resource but not another remote machine... In
    addition to kerberos delegation (which require all the computers involve in
    the application's process stream be configured correctly.....), another
    apprach is we programmatically impersonate the client user, such
    programmatic imperosated session will also be remotable to other machines.
    However, programatically impersonate require clear text
    username/password....

    #How to configure an ASP.NET application for a delegation scenario
    http://support.microsoft.com/default.aspx?scid=kb;en-us;810572

    Anyway, delegate authenticated credential multiple hops is not good ideas
    since whenever it skip a more hop, the possibility that the context be
    hacked increate. Also, performance overhead is also involved.

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)



    --------------------
    | Thread-Topic: accessing WebService from asp.net App on load balanced
    Servers
    | thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
    | X-WBNR-Posting-Host: 134.134.136.1
    | From: "=?Utf-8?B?SmFzb24=?=" <>
    | References: <>
    <>
    | Subject: RE: accessing WebService from asp.net App on load balanced
    Servers
    | Date: Sun, 27 Nov 2005 20:30:02 -0800
    | Lines: 120
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:16434
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    |
    | Steven,
    |
    | Thanks for your response. Unfortunately landing the web service on the
    same
    | server as the asp.net application is not an option. Neither is using a
    | hardcoded ID as the web service recognizes the user and sets the response
    | appropriately. I am amazed that there is no other option. Does the 2.0
    | framework change anything? I have tried to create an assembly using
    | EnterpriseServices to handle the impersonation also but it still will not
    | send the users credentials.. Can you confirm with your colleages if this
    is
    | possible with the current framework? or not? This problem seems to remove
    the
    | benefit of using a Web Service for the back end data provider...
    |
    | Thanks
    | Jason
    |
    |
    | "Steven Cheng[MSFT]" wrote:
    |
    | > Hi Jason,
    | >
    | > Welcome to asp.net newsgroup.
    | > From your description,you're accessing an ASP.NET webservice from an
    | > asp.net webapplication, the the web application
    | > turn on impesonate so as to use the client user's credential to access
    the
    | > webservice(authenticated protected...)
    | > However, he found that this worked only when the webservice is on the
    same
    | > machine with the web applicaiton...
    | > Elsewise, you'll get 401 error, yes?
    | >
    | > Based on my experience, this problem is caused by the limitation of
    normal
    | > windows NTLM authentication's generated logon session. By default the
    | > asp.net implicit impersonated client logon session are network logon
    | > sessions, they have not network credentials. So it is ok for accessing
    | > protected resources on the same box (with the asp.net web
    application...),
    | > however, when try accessing some remote protected resources... we'll
    get
    | > access error since no security credential is sent (network logon on
    session
    | > can not be forwarded to remote machine...). This is a typical double
    hop
    | > limit...
    | >
    | > So as for your scenario, the most recommended and simplest means is to
    use
    | > a fixed privileged account to access the remote webservice in your
    asp.net
    | > web application (avoid using the implict impersonated client user's
    | > credential....). Or you can consider still maintain the webservice on
    the
    | > same server with the asp.net web app....
    | > And for the Kerberos you mentioned, yes, it is possible to configure
    | > kerberos delegation between client and our asp.net webapplication so as
    to
    | > establish kerberos ticket which can be forwarded to multiple remote
    | > machine(mulitple hops...), but using kerberos delegation may require
    | > complex configuration on both client side (browser ) and serverside
    | > (including asp.net web app's server and webservice's server , also the
    | > win2k or win2003 domain.....), so we do not recommend using this
    approach
    | > ......
    | >
    | > Thanks,
    | >
    | > Steven Cheng
    | > Microsoft Online Support
    | >
    | > Get Secure! www.microsoft.com/security
    | > (This posting is provided "AS IS", with no warranties, and confers no
    | > rights.)
    | >
    | > --------------------
    | > | Thread-Topic: accessing WebService from asp.net App on load balanced
    | > Servers
    | > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
    | > | X-WBNR-Posting-Host: 134.134.136.1
    | > | From: "=?Utf-8?B?SmFzb24=?=" <>
    | > | Subject: accessing WebService from asp.net App on load balanced
    Servers
    | > | Date: Sun, 27 Nov 2005 00:38:01 -0800
    | > | Lines: 19
    | > | Message-ID: <>
    | > | MIME-Version: 1.0
    | > | Content-Type: text/plain;
    | > | charset="Utf-8"
    | > | Content-Transfer-Encoding: 7bit
    | > | X-Newsreader: Microsoft CDO for Windows 2000
    | > | Content-Class: urn:content-classes:message
    | > | Importance: normal
    | > | Priority: normal
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | > | Xref: TK2MSFTNGXA02.phx.gbl
    | > microsoft.public.dotnet.framework.aspnet.security:16428
    | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | > |
    | > | Hi,
    | > |
    | > | I have an ASP.Net application that retrieves Data from a Web Service.
    | > When
    | > | the Web service resides on the same server I have no problem and the
    | > asp.net
    | > | page functions as expected. I am using impersonation and the
    credentials
    | > are
    | > | being passed to the web service as expected.
    | > |
    | > | Now, when the web service resides on a different server the
    credentials
    | > are
    | > | not passed to the webservice and the asp application receives a 401
    | > Error. I
    | > | have seen emails about using kerberos but have not been successful in
    | > getting
    | > | it to work. Could this be because I am using Load balanced servers?
    | > (Using
    | > | Application Server) I thought this worked when using Windows 2000
    Server
    | > but
    | > | I am now using Windows 2003 Server. Can you tell me What specific
    steps I
    | > | need to take for my asp.net application to function and retrieve
    content
    | > from
    | > | a web service passing the credentials of the original user using the
    | > asp.net
    | > | application??
    | > | Thanks
    | > | Jason
    | > |
    | > |
    | >
    | >
    |
    Steven Cheng[MSFT], Nov 29, 2005
    #4
  5. Jason

    Jason Guest

    Would Constrained Delegation not give me a solution here? This is an Intranet
    application and my undertstanding of constrained delegation is that the
    Original user impersonation will carry through to the back end server??

    "Steven Cheng[MSFT]" wrote:

    > Thanks for your response Jason,
    >
    > Actually, this limit is due to the windows NTLM authentication which dosn't
    > allow an authenticated logon session to double hop multpile machines. So
    > the client implicit impersonated credential can only access asp.net
    > server's protected resource but not another remote machine... In
    > addition to kerberos delegation (which require all the computers involve in
    > the application's process stream be configured correctly.....), another
    > apprach is we programmatically impersonate the client user, such
    > programmatic imperosated session will also be remotable to other machines.
    > However, programatically impersonate require clear text
    > username/password....
    >
    > #How to configure an ASP.NET application for a delegation scenario
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
    >
    > Anyway, delegate authenticated credential multiple hops is not good ideas
    > since whenever it skip a more hop, the possibility that the context be
    > hacked increate. Also, performance overhead is also involved.
    >
    > Thanks,
    >
    > Steven Cheng
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    >
    > --------------------
    > | Thread-Topic: accessing WebService from asp.net App on load balanced
    > Servers
    > | thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
    > | X-WBNR-Posting-Host: 134.134.136.1
    > | From: "=?Utf-8?B?SmFzb24=?=" <>
    > | References: <>
    > <>
    > | Subject: RE: accessing WebService from asp.net App on load balanced
    > Servers
    > | Date: Sun, 27 Nov 2005 20:30:02 -0800
    > | Lines: 120
    > | Message-ID: <>
    > | MIME-Version: 1.0
    > | Content-Type: text/plain;
    > | charset="Utf-8"
    > | Content-Transfer-Encoding: 7bit
    > | X-Newsreader: Microsoft CDO for Windows 2000
    > | Content-Class: urn:content-classes:message
    > | Importance: normal
    > | Priority: normal
    > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > | Xref: TK2MSFTNGXA02.phx.gbl
    > microsoft.public.dotnet.framework.aspnet.security:16434
    > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > |
    > | Steven,
    > |
    > | Thanks for your response. Unfortunately landing the web service on the
    > same
    > | server as the asp.net application is not an option. Neither is using a
    > | hardcoded ID as the web service recognizes the user and sets the response
    > | appropriately. I am amazed that there is no other option. Does the 2.0
    > | framework change anything? I have tried to create an assembly using
    > | EnterpriseServices to handle the impersonation also but it still will not
    > | send the users credentials.. Can you confirm with your colleages if this
    > is
    > | possible with the current framework? or not? This problem seems to remove
    > the
    > | benefit of using a Web Service for the back end data provider...
    > |
    > | Thanks
    > | Jason
    > |
    > |
    > | "Steven Cheng[MSFT]" wrote:
    > |
    > | > Hi Jason,
    > | >
    > | > Welcome to asp.net newsgroup.
    > | > From your description,you're accessing an ASP.NET webservice from an
    > | > asp.net webapplication, the the web application
    > | > turn on impesonate so as to use the client user's credential to access
    > the
    > | > webservice(authenticated protected...)
    > | > However, he found that this worked only when the webservice is on the
    > same
    > | > machine with the web applicaiton...
    > | > Elsewise, you'll get 401 error, yes?
    > | >
    > | > Based on my experience, this problem is caused by the limitation of
    > normal
    > | > windows NTLM authentication's generated logon session. By default the
    > | > asp.net implicit impersonated client logon session are network logon
    > | > sessions, they have not network credentials. So it is ok for accessing
    > | > protected resources on the same box (with the asp.net web
    > application...),
    > | > however, when try accessing some remote protected resources... we'll
    > get
    > | > access error since no security credential is sent (network logon on
    > session
    > | > can not be forwarded to remote machine...). This is a typical double
    > hop
    > | > limit...
    > | >
    > | > So as for your scenario, the most recommended and simplest means is to
    > use
    > | > a fixed privileged account to access the remote webservice in your
    > asp.net
    > | > web application (avoid using the implict impersonated client user's
    > | > credential....). Or you can consider still maintain the webservice on
    > the
    > | > same server with the asp.net web app....
    > | > And for the Kerberos you mentioned, yes, it is possible to configure
    > | > kerberos delegation between client and our asp.net webapplication so as
    > to
    > | > establish kerberos ticket which can be forwarded to multiple remote
    > | > machine(mulitple hops...), but using kerberos delegation may require
    > | > complex configuration on both client side (browser ) and serverside
    > | > (including asp.net web app's server and webservice's server , also the
    > | > win2k or win2003 domain.....), so we do not recommend using this
    > approach
    > | > ......
    > | >
    > | > Thanks,
    > | >
    > | > Steven Cheng
    > | > Microsoft Online Support
    > | >
    > | > Get Secure! www.microsoft.com/security
    > | > (This posting is provided "AS IS", with no warranties, and confers no
    > | > rights.)
    > | >
    > | > --------------------
    > | > | Thread-Topic: accessing WebService from asp.net App on load balanced
    > | > Servers
    > | > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
    > | > | X-WBNR-Posting-Host: 134.134.136.1
    > | > | From: "=?Utf-8?B?SmFzb24=?=" <>
    > | > | Subject: accessing WebService from asp.net App on load balanced
    > Servers
    > | > | Date: Sun, 27 Nov 2005 00:38:01 -0800
    > | > | Lines: 19
    > | > | Message-ID: <>
    > | > | MIME-Version: 1.0
    > | > | Content-Type: text/plain;
    > | > | charset="Utf-8"
    > | > | Content-Transfer-Encoding: 7bit
    > | > | X-Newsreader: Microsoft CDO for Windows 2000
    > | > | Content-Class: urn:content-classes:message
    > | > | Importance: normal
    > | > | Priority: normal
    > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    > | > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > | > | Xref: TK2MSFTNGXA02.phx.gbl
    > | > microsoft.public.dotnet.framework.aspnet.security:16428
    > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > | > |
    > | > | Hi,
    > | > |
    > | > | I have an ASP.Net application that retrieves Data from a Web Service.
    > | > When
    > | > | the Web service resides on the same server I have no problem and the
    > | > asp.net
    > | > | page functions as expected. I am using impersonation and the
    > credentials
    > | > are
    > | > | being passed to the web service as expected.
    > | > |
    > | > | Now, when the web service resides on a different server the
    > credentials
    > | > are
    > | > | not passed to the webservice and the asp application receives a 401
    > | > Error. I
    > | > | have seen emails about using kerberos but have not been successful in
    > | > getting
    > | > | it to work. Could this be because I am using Load balanced servers?
    > | > (Using
    > | > | Application Server) I thought this worked when using Windows 2000
    > Server
    > | > but
    > | > | I am now using Windows 2003 Server. Can you tell me What specific
    > steps I
    > | > | need to take for my asp.net application to function and retrieve
    > content
    > | > from
    > | > | a web service passing the credentials of the original user using the
    > | > asp.net
    > | > | application??
    > | > | Thanks
    > | > | Jason
    > | > |
    > | > |
    > | >
    > | >
    > |
    >
    >
    Jason, Nov 29, 2005
    #5
  6. Thanks for your response Jason,

    Yes, if you're able to successfully implement the kerberos authentication
    configuration from the client (browser side....) to your web server and
    the remote webservice server (all in the same 2000 or 2003 domain or
    trusted domain...), and all the user accounts meet the requirement, the
    kerberos token can be forwared from webserver to remote webservice server...

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    --------------------
    | Thread-Topic: accessing WebService from asp.net App on load balanced
    Servers
    | thread-index: AcX0iRkP/iqm3QbgRIq9MZI1zHBZxA==
    | X-WBNR-Posting-Host: 134.134.136.2
    | From: "=?Utf-8?B?SmFzb24=?=" <>
    | References: <>
    <>
    <>
    <>
    | Subject: RE: accessing WebService from asp.net App on load balanced
    Servers
    | Date: Mon, 28 Nov 2005 18:03:31 -0800
    | Lines: 210
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:16453
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    |
    | Would Constrained Delegation not give me a solution here? This is an
    Intranet
    | application and my undertstanding of constrained delegation is that the
    | Original user impersonation will carry through to the back end server??
    |
    | "Steven Cheng[MSFT]" wrote:
    |
    | > Thanks for your response Jason,
    | >
    | > Actually, this limit is due to the windows NTLM authentication which
    dosn't
    | > allow an authenticated logon session to double hop multpile machines.
    So
    | > the client implicit impersonated credential can only access asp.net
    | > server's protected resource but not another remote machine... In
    | > addition to kerberos delegation (which require all the computers
    involve in
    | > the application's process stream be configured correctly.....),
    another
    | > apprach is we programmatically impersonate the client user, such
    | > programmatic imperosated session will also be remotable to other
    machines.
    | > However, programatically impersonate require clear text
    | > username/password....
    | >
    | > #How to configure an ASP.NET application for a delegation scenario
    | > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
    | >
    | > Anyway, delegate authenticated credential multiple hops is not good
    ideas
    | > since whenever it skip a more hop, the possibility that the context be
    | > hacked increate. Also, performance overhead is also involved.
    | >
    | > Thanks,
    | >
    | > Steven Cheng
    | > Microsoft Online Support
    | >
    | > Get Secure! www.microsoft.com/security
    | > (This posting is provided "AS IS", with no warranties, and confers no
    | > rights.)
    | >
    | >
    | >
    | > --------------------
    | > | Thread-Topic: accessing WebService from asp.net App on load balanced
    | > Servers
    | > | thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
    | > | X-WBNR-Posting-Host: 134.134.136.1
    | > | From: "=?Utf-8?B?SmFzb24=?=" <>
    | > | References: <>
    | > <>
    | > | Subject: RE: accessing WebService from asp.net App on load balanced
    | > Servers
    | > | Date: Sun, 27 Nov 2005 20:30:02 -0800
    | > | Lines: 120
    | > | Message-ID: <>
    | > | MIME-Version: 1.0
    | > | Content-Type: text/plain;
    | > | charset="Utf-8"
    | > | Content-Transfer-Encoding: 7bit
    | > | X-Newsreader: Microsoft CDO for Windows 2000
    | > | Content-Class: urn:content-classes:message
    | > | Importance: normal
    | > | Priority: normal
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | > | Path:
    TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | > | Xref: TK2MSFTNGXA02.phx.gbl
    | > microsoft.public.dotnet.framework.aspnet.security:16434
    | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | > |
    | > | Steven,
    | > |
    | > | Thanks for your response. Unfortunately landing the web service on
    the
    | > same
    | > | server as the asp.net application is not an option. Neither is using
    a
    | > | hardcoded ID as the web service recognizes the user and sets the
    response
    | > | appropriately. I am amazed that there is no other option. Does the
    2.0
    | > | framework change anything? I have tried to create an assembly using
    | > | EnterpriseServices to handle the impersonation also but it still will
    not
    | > | send the users credentials.. Can you confirm with your colleages if
    this
    | > is
    | > | possible with the current framework? or not? This problem seems to
    remove
    | > the
    | > | benefit of using a Web Service for the back end data provider...
    | > |
    | > | Thanks
    | > | Jason
    | > |
    | > |
    | > | "Steven Cheng[MSFT]" wrote:
    | > |
    | > | > Hi Jason,
    | > | >
    | > | > Welcome to asp.net newsgroup.
    | > | > From your description,you're accessing an ASP.NET webservice from
    an
    | > | > asp.net webapplication, the the web application
    | > | > turn on impesonate so as to use the client user's credential to
    access
    | > the
    | > | > webservice(authenticated protected...)
    | > | > However, he found that this worked only when the webservice is on
    the
    | > same
    | > | > machine with the web applicaiton...
    | > | > Elsewise, you'll get 401 error, yes?
    | > | >
    | > | > Based on my experience, this problem is caused by the limitation of
    | > normal
    | > | > windows NTLM authentication's generated logon session. By default
    the
    | > | > asp.net implicit impersonated client logon session are network
    logon
    | > | > sessions, they have not network credentials. So it is ok for
    accessing
    | > | > protected resources on the same box (with the asp.net web
    | > application...),
    | > | > however, when try accessing some remote protected resources...
    we'll
    | > get
    | > | > access error since no security credential is sent (network logon on
    | > session
    | > | > can not be forwarded to remote machine...). This is a typical
    double
    | > hop
    | > | > limit...
    | > | >
    | > | > So as for your scenario, the most recommended and simplest means is
    to
    | > use
    | > | > a fixed privileged account to access the remote webservice in your
    | > asp.net
    | > | > web application (avoid using the implict impersonated client user's
    | > | > credential....). Or you can consider still maintain the webservice
    on
    | > the
    | > | > same server with the asp.net web app....
    | > | > And for the Kerberos you mentioned, yes, it is possible to
    configure
    | > | > kerberos delegation between client and our asp.net webapplication
    so as
    | > to
    | > | > establish kerberos ticket which can be forwarded to multiple remote
    | > | > machine(mulitple hops...), but using kerberos delegation may
    require
    | > | > complex configuration on both client side (browser ) and serverside

    | > | > (including asp.net web app's server and webservice's server , also
    the
    | > | > win2k or win2003 domain.....), so we do not recommend using this
    | > approach
    | > | > ......
    | > | >
    | > | > Thanks,
    | > | >
    | > | > Steven Cheng
    | > | > Microsoft Online Support
    | > | >
    | > | > Get Secure! www.microsoft.com/security
    | > | > (This posting is provided "AS IS", with no warranties, and confers
    no
    | > | > rights.)
    | > | >
    | > | > --------------------
    | > | > | Thread-Topic: accessing WebService from asp.net App on load
    balanced
    | > | > Servers
    | > | > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
    | > | > | X-WBNR-Posting-Host: 134.134.136.1
    | > | > | From: "=?Utf-8?B?SmFzb24=?=" <>
    | > | > | Subject: accessing WebService from asp.net App on load balanced
    | > Servers
    | > | > | Date: Sun, 27 Nov 2005 00:38:01 -0800
    | > | > | Lines: 19
    | > | > | Message-ID: <>
    | > | > | MIME-Version: 1.0
    | > | > | Content-Type: text/plain;
    | > | > | charset="Utf-8"
    | > | > | Content-Transfer-Encoding: 7bit
    | > | > | X-Newsreader: Microsoft CDO for Windows 2000
    | > | > | Content-Class: urn:content-classes:message
    | > | > | Importance: normal
    | > | > | Priority: normal
    | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | > | > | Path:
    TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | > | > | Xref: TK2MSFTNGXA02.phx.gbl
    | > | > microsoft.public.dotnet.framework.aspnet.security:16428
    | > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | > | > |
    | > | > | Hi,
    | > | > |
    | > | > | I have an ASP.Net application that retrieves Data from a Web
    Service.
    | > | > When
    | > | > | the Web service resides on the same server I have no problem and
    the
    | > | > asp.net
    | > | > | page functions as expected. I am using impersonation and the
    | > credentials
    | > | > are
    | > | > | being passed to the web service as expected.
    | > | > |
    | > | > | Now, when the web service resides on a different server the
    | > credentials
    | > | > are
    | > | > | not passed to the webservice and the asp application receives a
    401
    | > | > Error. I
    | > | > | have seen emails about using kerberos but have not been
    successful in
    | > | > getting
    | > | > | it to work. Could this be because I am using Load balanced
    servers?
    | > | > (Using
    | > | > | Application Server) I thought this worked when using Windows 2000
    | > Server
    | > | > but
    | > | > | I am now using Windows 2003 Server. Can you tell me What specific
    | > steps I
    | > | > | need to take for my asp.net application to function and retrieve
    | > content
    | > | > from
    | > | > | a web service passing the credentials of the original user using
    the
    | > | > asp.net
    | > | > | application??
    | > | > | Thanks
    | > | > | Jason
    | > | > |
    | > | > |
    | > | >
    | > | >
    | > |
    | >
    | >
    |
    Steven Cheng[MSFT], Nov 29, 2005
    #6
  7. Hello Steven Cheng[MSFT],

    and if you wonder how that works, have a look at:
    http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thanks for your response Jason,
    >
    > Yes, if you're able to successfully implement the kerberos
    > authentication configuration from the client (browser side....) to
    > your web server and the remote webservice server (all in the same 2000
    > or 2003 domain or trusted domain...), and all the user accounts meet
    > the requirement, the kerberos token can be forwared from webserver to
    > remote webservice server...
    >
    > Thanks,
    >
    > Steven Cheng
    > Microsoft Online Support
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    > --------------------
    > | Thread-Topic: accessing WebService from asp.net App on load balanced
    > Servers
    > | thread-index: AcX0iRkP/iqm3QbgRIq9MZI1zHBZxA==
    > | X-WBNR-Posting-Host: 134.134.136.2
    > | From: "=?Utf-8?B?SmFzb24=?=" <>
    > | References: <>
    > <>
    > <>
    > <>
    > | Subject: RE: accessing WebService from asp.net App on load balanced
    > Servers
    > | Date: Mon, 28 Nov 2005 18:03:31 -0800
    > | Lines: 210
    > | Message-ID: <>
    > | MIME-Version: 1.0
    > | Content-Type: text/plain;
    > | charset="Utf-8"
    > | Content-Transfer-Encoding: 7bit
    > | X-Newsreader: Microsoft CDO for Windows 2000
    > | Content-Class: urn:content-classes:message
    > | Importance: normal
    > | Priority: normal
    > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    > | Path:
    > TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > | Xref: TK2MSFTNGXA02.phx.gbl
    > microsoft.public.dotnet.framework.aspnet.security:16453
    > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > |
    > | Would Constrained Delegation not give me a solution here? This is an
    > Intranet
    > | application and my undertstanding of constrained delegation is that
    > the
    > | Original user impersonation will carry through to the back end
    > server??
    > |
    > | "Steven Cheng[MSFT]" wrote:
    > |
    > | > Thanks for your response Jason,
    > | >
    > | > Actually, this limit is due to the windows NTLM authentication
    > which
    > dosn't
    > | > allow an authenticated logon session to double hop multpile
    > machines.
    > So
    > | > the client implicit impersonated credential can only access
    > asp.net
    > | > server's protected resource but not another remote machine...
    > In
    > | > addition to kerberos delegation (which require all the computers
    > involve in
    > | > the application's process stream be configured correctly.....),
    > another
    > | > apprach is we programmatically impersonate the client user, such
    > | > programmatic imperosated session will also be remotable to other
    > machines.
    > | > However, programatically impersonate require clear text
    > | > username/password....
    > | >
    > | > #How to configure an ASP.NET application for a delegation scenario
    > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
    > | >
    > | > Anyway, delegate authenticated credential multiple hops is not
    > good
    > ideas
    > | > since whenever it skip a more hop, the possibility that the
    > context be
    > | > hacked increate. Also, performance overhead is also involved.
    > | >
    > | > Thanks,
    > | >
    > | > Steven Cheng
    > | > Microsoft Online Support
    > | >
    > | > Get Secure! www.microsoft.com/security
    > | > (This posting is provided "AS IS", with no warranties, and confers
    > no
    > | > rights.)
    > | >
    > | >
    > | >
    > | > --------------------
    > | > | Thread-Topic: accessing WebService from asp.net App on load
    > balanced
    > | > Servers
    > | > | thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
    > | > | X-WBNR-Posting-Host: 134.134.136.1
    > | > | From: "=?Utf-8?B?SmFzb24=?=" <>
    > | > | References:
    > <>
    > | > <>
    > | > | Subject: RE: accessing WebService from asp.net App on load
    > balanced
    > | > Servers
    > | > | Date: Sun, 27 Nov 2005 20:30:02 -0800
    > | > | Lines: 120
    > | > | Message-ID: <>
    > | > | MIME-Version: 1.0
    > | > | Content-Type: text/plain;
    > | > | charset="Utf-8"
    > | > | Content-Transfer-Encoding: 7bit
    > | > | X-Newsreader: Microsoft CDO for Windows 2000
    > | > | Content-Class: urn:content-classes:message
    > | > | Importance: normal
    > | > | Priority: normal
    > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    > | > | Path:
    > TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > | > | Xref: TK2MSFTNGXA02.phx.gbl
    > | > microsoft.public.dotnet.framework.aspnet.security:16434
    > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > | > |
    > | > | Steven,
    > | > |
    > | > | Thanks for your response. Unfortunately landing the web service
    > on
    > the
    > | > same
    > | > | server as the asp.net application is not an option. Neither is
    > using
    > a
    > | > | hardcoded ID as the web service recognizes the user and sets the
    > response
    > | > | appropriately. I am amazed that there is no other option. Does
    > the
    > 2.0
    > | > | framework change anything? I have tried to create an assembly
    > using
    > | > | EnterpriseServices to handle the impersonation also but it still
    > will
    > not
    > | > | send the users credentials.. Can you confirm with your colleages
    > if
    > this
    > | > is
    > | > | possible with the current framework? or not? This problem seems
    > to
    > remove
    > | > the
    > | > | benefit of using a Web Service for the back end data provider...
    > | > |
    > | > | Thanks
    > | > | Jason
    > | > |
    > | > |
    > | > | "Steven Cheng[MSFT]" wrote:
    > | > |
    > | > | > Hi Jason,
    > | > | >
    > | > | > Welcome to asp.net newsgroup.
    > | > | > From your description,you're accessing an ASP.NET webservice
    > from
    > an
    > | > | > asp.net webapplication, the the web application
    > | > | > turn on impesonate so as to use the client user's credential
    > to
    > access
    > | > the
    > | > | > webservice(authenticated protected...)
    > | > | > However, he found that this worked only when the webservice is
    > on
    > the
    > | > same
    > | > | > machine with the web applicaiton...
    > | > | > Elsewise, you'll get 401 error, yes?
    > | > | >
    > | > | > Based on my experience, this problem is caused by the
    > limitation of
    > | > normal
    > | > | > windows NTLM authentication's generated logon session. By
    > default
    > the
    > | > | > asp.net implicit impersonated client logon session are network
    > logon
    > | > | > sessions, they have not network credentials. So it is ok for
    > accessing
    > | > | > protected resources on the same box (with the asp.net web
    > | > application...),
    > | > | > however, when try accessing some remote protected resources...
    > we'll
    > | > get
    > | > | > access error since no security credential is sent (network
    > logon on
    > | > session
    > | > | > can not be forwarded to remote machine...). This is a typical
    > double
    > | > hop
    > | > | > limit...
    > | > | >
    > | > | > So as for your scenario, the most recommended and simplest
    > means is
    > to
    > | > use
    > | > | > a fixed privileged account to access the remote webservice in
    > your
    > | > asp.net
    > | > | > web application (avoid using the implict impersonated client
    > user's
    > | > | > credential....). Or you can consider still maintain the
    > webservice
    > on
    > | > the
    > | > | > same server with the asp.net web app....
    > | > | > And for the Kerberos you mentioned, yes, it is possible to
    > configure
    > | > | > kerberos delegation between client and our asp.net
    > webapplication
    > so as
    > | > to
    > | > | > establish kerberos ticket which can be forwarded to multiple
    > remote
    > | > | > machine(mulitple hops...), but using kerberos delegation may
    > require
    > | > | > complex configuration on both client side (browser ) and
    > serverside
    > | > | > (including asp.net web app's server and webservice's server ,
    > also
    > the
    > | > | > win2k or win2003 domain.....), so we do not recommend using
    > this
    > | > approach
    > | > | > ......
    > | > | >
    > | > | > Thanks,
    > | > | >
    > | > | > Steven Cheng
    > | > | > Microsoft Online Support
    > | > | >
    > | > | > Get Secure! www.microsoft.com/security
    > | > | > (This posting is provided "AS IS", with no warranties, and
    > confers
    > no
    > | > | > rights.)
    > | > | >
    > | > | > --------------------
    > | > | > | Thread-Topic: accessing WebService from asp.net App on load
    > balanced
    > | > | > Servers
    > | > | > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
    > | > | > | X-WBNR-Posting-Host: 134.134.136.1
    > | > | > | From: "=?Utf-8?B?SmFzb24=?=" <>
    > | > | > | Subject: accessing WebService from asp.net App on load
    > balanced
    > | > Servers
    > | > | > | Date: Sun, 27 Nov 2005 00:38:01 -0800
    > | > | > | Lines: 19
    > | > | > | Message-ID:
    > <>
    > | > | > | MIME-Version: 1.0
    > | > | > | Content-Type: text/plain;
    > | > | > | charset="Utf-8"
    > | > | > | Content-Transfer-Encoding: 7bit
    > | > | > | X-Newsreader: Microsoft CDO for Windows 2000
    > | > | > | Content-Class: urn:content-classes:message
    > | > | > | Importance: normal
    > | > | > | Priority: normal
    > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > | > | > | Newsgroups:
    > microsoft.public.dotnet.framework.aspnet.security
    > | > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    > | > | > | Path:
    > TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > | > | > | Xref: TK2MSFTNGXA02.phx.gbl
    > | > | > microsoft.public.dotnet.framework.aspnet.security:16428
    > | > | > | X-Tomcat-NG:
    > microsoft.public.dotnet.framework.aspnet.security
    > | > | > |
    > | > | > | Hi,
    > | > | > |
    > | > | > | I have an ASP.Net application that retrieves Data from a Web
    > Service.
    > | > | > When
    > | > | > | the Web service resides on the same server I have no problem
    > and
    > the
    > | > | > asp.net
    > | > | > | page functions as expected. I am using impersonation and the
    > | > credentials
    > | > | > are
    > | > | > | being passed to the web service as expected.
    > | > | > |
    > | > | > | Now, when the web service resides on a different server the
    > | > credentials
    > | > | > are
    > | > | > | not passed to the webservice and the asp application
    > receives a
    > 401
    > | > | > Error. I
    > | > | > | have seen emails about using kerberos but have not been
    > successful in
    > | > | > getting
    > | > | > | it to work. Could this be because I am using Load balanced
    > servers?
    > | > | > (Using
    > | > | > | Application Server) I thought this worked when using Windows
    > 2000
    > | > Server
    > | > | > but
    > | > | > | I am now using Windows 2003 Server. Can you tell me What
    > specific
    > | > steps I
    > | > | > | need to take for my asp.net application to function and
    > retrieve
    > | > content
    > | > | > from
    > | > | > | a web service passing the credentials of the original user
    > using
    > the
    > | > | > asp.net
    > | > | > | application??
    > | > | > | Thanks
    > | > | > | Jason
    > | > | > |
    > | > | > |
    > | > | >
    > | > | >
    > | > |
    > | >
    > | >
    > |
    Dominick Baier [DevelopMentor], Nov 29, 2005
    #7
  8. Hi Jason,

    Have you got any further ideas on this issue? If there're anything else we
    can help, please feel free to post here.

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    --------------------
    | X-Tomcat-ID: 280188595
    | References: <>
    <>
    <>
    <>
    <>
    | MIME-Version: 1.0
    | Content-Type: text/plain
    | Content-Transfer-Encoding: 7bit
    | From: (Steven Cheng[MSFT])
    | Organization: Microsoft
    | Date: Tue, 29 Nov 2005 11:34:27 GMT
    | Subject: RE: accessing WebService from asp.net App on load balanced
    Servers
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | Message-ID: <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | Lines: 275
    | Path: TK2MSFTNGXA02.phx.gbl
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:16454
    | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
    |
    | Thanks for your response Jason,
    |
    | Yes, if you're able to successfully implement the kerberos authentication
    | configuration from the client (browser side....) to your web server and
    | the remote webservice server (all in the same 2000 or 2003 domain or
    | trusted domain...), and all the user accounts meet the requirement, the
    | kerberos token can be forwared from webserver to remote webservice
    server...
    |
    | Thanks,
    |
    | Steven Cheng
    | Microsoft Online Support
    |
    | Get Secure! www.microsoft.com/security
    | (This posting is provided "AS IS", with no warranties, and confers no
    | rights.)
    | --------------------
    | | Thread-Topic: accessing WebService from asp.net App on load balanced
    | Servers
    | | thread-index: AcX0iRkP/iqm3QbgRIq9MZI1zHBZxA==
    | | X-WBNR-Posting-Host: 134.134.136.2
    | | From: "=?Utf-8?B?SmFzb24=?=" <>
    | | References: <>
    | <>
    | <>
    | <>
    | | Subject: RE: accessing WebService from asp.net App on load balanced
    | Servers
    | | Date: Mon, 28 Nov 2005 18:03:31 -0800
    | | Lines: 210
    | | Message-ID: <>
    | | MIME-Version: 1.0
    | | Content-Type: text/plain;
    | | charset="Utf-8"
    | | Content-Transfer-Encoding: 7bit
    | | X-Newsreader: Microsoft CDO for Windows 2000
    | | Content-Class: urn:content-classes:message
    | | Importance: normal
    | | Priority: normal
    | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | | Xref: TK2MSFTNGXA02.phx.gbl
    | microsoft.public.dotnet.framework.aspnet.security:16453
    | | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | |
    | | Would Constrained Delegation not give me a solution here? This is an
    | Intranet
    | | application and my undertstanding of constrained delegation is that the
    | | Original user impersonation will carry through to the back end server??
    | |
    | | "Steven Cheng[MSFT]" wrote:
    | |
    | | > Thanks for your response Jason,
    | | >
    | | > Actually, this limit is due to the windows NTLM authentication which
    | dosn't
    | | > allow an authenticated logon session to double hop multpile
    machines.
    | So
    | | > the client implicit impersonated credential can only access asp.net
    | | > server's protected resource but not another remote machine... In
    | | > addition to kerberos delegation (which require all the computers
    | involve in
    | | > the application's process stream be configured correctly.....),
    | another
    | | > apprach is we programmatically impersonate the client user, such
    | | > programmatic imperosated session will also be remotable to other
    | machines.
    | | > However, programatically impersonate require clear text
    | | > username/password....
    | | >
    | | > #How to configure an ASP.NET application for a delegation scenario
    | | > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
    | | >
    | | > Anyway, delegate authenticated credential multiple hops is not good
    | ideas
    | | > since whenever it skip a more hop, the possibility that the context
    be
    | | > hacked increate. Also, performance overhead is also involved.
    | | >
    | | > Thanks,
    | | >
    | | > Steven Cheng
    | | > Microsoft Online Support
    | | >
    | | > Get Secure! www.microsoft.com/security
    | | > (This posting is provided "AS IS", with no warranties, and confers no
    | | > rights.)
    | | >
    | | >
    | | >
    | | > --------------------
    | | > | Thread-Topic: accessing WebService from asp.net App on load
    balanced
    | | > Servers
    | | > | thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
    | | > | X-WBNR-Posting-Host: 134.134.136.1
    | | > | From: "=?Utf-8?B?SmFzb24=?=" <>
    | | > | References: <>
    | | > <>
    | | > | Subject: RE: accessing WebService from asp.net App on load balanced
    | | > Servers
    | | > | Date: Sun, 27 Nov 2005 20:30:02 -0800
    | | > | Lines: 120
    | | > | Message-ID: <>
    | | > | MIME-Version: 1.0
    | | > | Content-Type: text/plain;
    | | > | charset="Utf-8"
    | | > | Content-Transfer-Encoding: 7bit
    | | > | X-Newsreader: Microsoft CDO for Windows 2000
    | | > | Content-Class: urn:content-classes:message
    | | > | Importance: normal
    | | > | Priority: normal
    | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | | > | Path:
    | TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | | > | Xref: TK2MSFTNGXA02.phx.gbl
    | | > microsoft.public.dotnet.framework.aspnet.security:16434
    | | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | | > |
    | | > | Steven,
    | | > |
    | | > | Thanks for your response. Unfortunately landing the web service on
    | the
    | | > same
    | | > | server as the asp.net application is not an option. Neither is
    using
    | a
    | | > | hardcoded ID as the web service recognizes the user and sets the
    | response
    | | > | appropriately. I am amazed that there is no other option. Does the
    | 2.0
    | | > | framework change anything? I have tried to create an assembly using
    | | > | EnterpriseServices to handle the impersonation also but it still
    will
    | not
    | | > | send the users credentials.. Can you confirm with your colleages if
    | this
    | | > is
    | | > | possible with the current framework? or not? This problem seems to
    | remove
    | | > the
    | | > | benefit of using a Web Service for the back end data provider...
    | | > |
    | | > | Thanks
    | | > | Jason
    | | > |
    | | > |
    | | > | "Steven Cheng[MSFT]" wrote:
    | | > |
    | | > | > Hi Jason,
    | | > | >
    | | > | > Welcome to asp.net newsgroup.
    | | > | > From your description,you're accessing an ASP.NET webservice from
    | an
    | | > | > asp.net webapplication, the the web application
    | | > | > turn on impesonate so as to use the client user's credential to
    | access
    | | > the
    | | > | > webservice(authenticated protected...)
    | | > | > However, he found that this worked only when the webservice is on
    | the
    | | > same
    | | > | > machine with the web applicaiton...
    | | > | > Elsewise, you'll get 401 error, yes?
    | | > | >
    | | > | > Based on my experience, this problem is caused by the limitation
    of
    | | > normal
    | | > | > windows NTLM authentication's generated logon session. By default
    | the
    | | > | > asp.net implicit impersonated client logon session are network
    | logon
    | | > | > sessions, they have not network credentials. So it is ok for
    | accessing
    | | > | > protected resources on the same box (with the asp.net web
    | | > application...),
    | | > | > however, when try accessing some remote protected resources...
    | we'll
    | | > get
    | | > | > access error since no security credential is sent (network logon
    on
    | | > session
    | | > | > can not be forwarded to remote machine...). This is a typical
    | double
    | | > hop
    | | > | > limit...
    | | > | >
    | | > | > So as for your scenario, the most recommended and simplest means
    is
    | to
    | | > use
    | | > | > a fixed privileged account to access the remote webservice in
    your
    | | > asp.net
    | | > | > web application (avoid using the implict impersonated client
    user's
    | | > | > credential....). Or you can consider still maintain the
    webservice
    | on
    | | > the
    | | > | > same server with the asp.net web app....
    | | > | > And for the Kerberos you mentioned, yes, it is possible to
    | configure
    | | > | > kerberos delegation between client and our asp.net webapplication
    | so as
    | | > to
    | | > | > establish kerberos ticket which can be forwarded to multiple
    remote
    | | > | > machine(mulitple hops...), but using kerberos delegation may
    | require
    | | > | > complex configuration on both client side (browser ) and
    serverside
    |
    | | > | > (including asp.net web app's server and webservice's server ,
    also
    | the
    | | > | > win2k or win2003 domain.....), so we do not recommend using this
    | | > approach
    | | > | > ......
    | | > | >
    | | > | > Thanks,
    | | > | >
    | | > | > Steven Cheng
    | | > | > Microsoft Online Support
    | | > | >
    | | > | > Get Secure! www.microsoft.com/security
    | | > | > (This posting is provided "AS IS", with no warranties, and
    confers
    | no
    | | > | > rights.)
    | | > | >
    | | > | > --------------------
    | | > | > | Thread-Topic: accessing WebService from asp.net App on load
    | balanced
    | | > | > Servers
    | | > | > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
    | | > | > | X-WBNR-Posting-Host: 134.134.136.1
    | | > | > | From: "=?Utf-8?B?SmFzb24=?=" <>
    | | > | > | Subject: accessing WebService from asp.net App on load balanced
    | | > Servers
    | | > | > | Date: Sun, 27 Nov 2005 00:38:01 -0800
    | | > | > | Lines: 19
    | | > | > | Message-ID: <>
    | | > | > | MIME-Version: 1.0
    | | > | > | Content-Type: text/plain;
    | | > | > | charset="Utf-8"
    | | > | > | Content-Transfer-Encoding: 7bit
    | | > | > | X-Newsreader: Microsoft CDO for Windows 2000
    | | > | > | Content-Class: urn:content-classes:message
    | | > | > | Importance: normal
    | | > | > | Priority: normal
    | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | | > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | | > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | | > | > | Path:
    | TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | | > | > | Xref: TK2MSFTNGXA02.phx.gbl
    | | > | > microsoft.public.dotnet.framework.aspnet.security:16428
    | | > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | | > | > |
    | | > | > | Hi,
    | | > | > |
    | | > | > | I have an ASP.Net application that retrieves Data from a Web
    | Service.
    | | > | > When
    | | > | > | the Web service resides on the same server I have no problem
    and
    | the
    | | > | > asp.net
    | | > | > | page functions as expected. I am using impersonation and the
    | | > credentials
    | | > | > are
    | | > | > | being passed to the web service as expected.
    | | > | > |
    | | > | > | Now, when the web service resides on a different server the
    | | > credentials
    | | > | > are
    | | > | > | not passed to the webservice and the asp application receives a
    | 401
    | | > | > Error. I
    | | > | > | have seen emails about using kerberos but have not been
    | successful in
    | | > | > getting
    | | > | > | it to work. Could this be because I am using Load balanced
    | servers?
    | | > | > (Using
    | | > | > | Application Server) I thought this worked when using Windows
    2000
    | | > Server
    | | > | > but
    | | > | > | I am now using Windows 2003 Server. Can you tell me What
    specific
    | | > steps I
    | | > | > | need to take for my asp.net application to function and
    retrieve
    | | > content
    | | > | > from
    | | > | > | a web service passing the credentials of the original user
    using
    | the
    | | > | > asp.net
    | | > | > | application??
    | | > | > | Thanks
    | | > | > | Jason
    | | > | > |
    | | > | > |
    | | > | >
    | | > | >
    | | > |
    | | >
    | | >
    | |
    |
    |
    Steven Cheng[MSFT], Dec 1, 2005
    #8
  9. Hey Jason,

    Thanks for your further feedback, sorry for haven't making things clear.
    Yes, for intranet application within a windows domain (2000 or 2003)
    environment, we can have clientside windows authentication's security
    context to forward to server , and a more remote server(e.g backend
    database....) through kerberos delegation.

    Actually, due to the complexity and environment dependent requirement,
    there has little complete example like some other technical tricks....
    However, we have many msdn reference and technical articles introducing
    such features:



    For general info on ASP.NET delegation:

    #ASP.NET Delegation
    http://msdn.microsoft.com/library/en-us/vsent7/html/vxconaspnetdelegation.as
    p?frame=true

    #How to configure an ASP.NET application for a delegation scenario
    http://support.microsoft.com/default.aspx?scid=kb;en-us;810572

    #How To: Use Impersonation and Delegation in ASP.NET 2.0
    http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000023.asp?frame=tr
    ue

    When the webserver is WIN2K, there needs more configuration due to the
    win2k server's particular OS security setting....


    #How To Implement Kerberos Delegation for Windows 2000
    http://msdn.microsoft.com/library/en-us/secmod/html/secmod19.asp?frame=true

    #Understanding Kerberos Credential Delegation in Windows 2000 Using the
    TktView Utility
    http://msdn.microsoft.com/msdnmag/issues/0500/security/default.aspx


    In addition, I remember that we can find some webcasts in the TechNet site
    about configuring IIS to suit kerberos delegation scenario....

    http://www.microsoft.com/windowsserver2003/iis/support/webcasts.mspx


    Hope helps. Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)







    --------------------
    | X-Tomcat-ID: 248895157
    | References: <>
    <>
    <>
    <>
    <>
    <>
    | MIME-Version: 1.0
    | Content-Type: text/plain
    | Content-Transfer-Encoding: 7bit
    | From: (Steven Cheng[MSFT])
    | Organization: Microsoft
    | Date: Thu, 01 Dec 2005 12:20:02 GMT
    | Subject: RE: accessing WebService from asp.net App on load balanced
    Servers
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | Message-ID: <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | Lines: 323
    | Path: TK2MSFTNGXA02.phx.gbl
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:16465
    | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
    |
    | Hi Jason,
    |
    | Have you got any further ideas on this issue? If there're anything else
    we
    | can help, please feel free to post here.
    |
    | Thanks,
    |
    | Steven Cheng
    | Microsoft Online Support
    |
    | Get Secure! www.microsoft.com/security
    | (This posting is provided "AS IS", with no warranties, and confers no
    | rights.)
    | --------------------
    | | X-Tomcat-ID: 280188595
    | | References: <>
    | <>
    | <>
    | <>
    | <>
    | | MIME-Version: 1.0
    | | Content-Type: text/plain
    | | Content-Transfer-Encoding: 7bit
    | | From: (Steven Cheng[MSFT])
    | | Organization: Microsoft
    | | Date: Tue, 29 Nov 2005 11:34:27 GMT
    | | Subject: RE: accessing WebService from asp.net App on load balanced
    | Servers
    | | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | | Message-ID: <>
    | | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | | Lines: 275
    | | Path: TK2MSFTNGXA02.phx.gbl
    | | Xref: TK2MSFTNGXA02.phx.gbl
    | microsoft.public.dotnet.framework.aspnet.security:16454
    | | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
    | |
    | | Thanks for your response Jason,
    | |
    | | Yes, if you're able to successfully implement the kerberos
    authentication
    | | configuration from the client (browser side....) to your web server
    and
    | | the remote webservice server (all in the same 2000 or 2003 domain or
    | | trusted domain...), and all the user accounts meet the requirement, the
    | | kerberos token can be forwared from webserver to remote webservice
    | server...
    | |
    | | Thanks,
    | |
    | | Steven Cheng
    | | Microsoft Online Support
    | |
    | | Get Secure! www.microsoft.com/security
    | | (This posting is provided "AS IS", with no warranties, and confers no
    | | rights.)
    | | --------------------
    | | | Thread-Topic: accessing WebService from asp.net App on load balanced
    | | Servers
    | | | thread-index: AcX0iRkP/iqm3QbgRIq9MZI1zHBZxA==
    | | | X-WBNR-Posting-Host: 134.134.136.2
    | | | From: "=?Utf-8?B?SmFzb24=?=" <>
    | | | References: <>
    | | <>
    | | <>
    | | <>
    | | | Subject: RE: accessing WebService from asp.net App on load balanced
    | | Servers
    | | | Date: Mon, 28 Nov 2005 18:03:31 -0800
    | | | Lines: 210
    | | | Message-ID: <>
    | | | MIME-Version: 1.0
    | | | Content-Type: text/plain;
    | | | charset="Utf-8"
    | | | Content-Transfer-Encoding: 7bit
    | | | X-Newsreader: Microsoft CDO for Windows 2000
    | | | Content-Class: urn:content-classes:message
    | | | Importance: normal
    | | | Priority: normal
    | | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | | | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | | | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | | | Path:
    TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | | | Xref: TK2MSFTNGXA02.phx.gbl
    | | microsoft.public.dotnet.framework.aspnet.security:16453
    | | | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | | |
    | | | Would Constrained Delegation not give me a solution here? This is an
    | | Intranet
    | | | application and my undertstanding of constrained delegation is that
    the
    | | | Original user impersonation will carry through to the back end
    server??
    | | |
    | | | "Steven Cheng[MSFT]" wrote:
    | | |
    | | | > Thanks for your response Jason,
    | | | >
    | | | > Actually, this limit is due to the windows NTLM authentication
    which
    | | dosn't
    | | | > allow an authenticated logon session to double hop multpile
    | machines.
    | | So
    | | | > the client implicit impersonated credential can only access asp.net
    | | | > server's protected resource but not another remote machine... In
    | | | > addition to kerberos delegation (which require all the computers
    | | involve in
    | | | > the application's process stream be configured correctly.....),
    | | another
    | | | > apprach is we programmatically impersonate the client user, such
    | | | > programmatic imperosated session will also be remotable to other
    | | machines.
    | | | > However, programatically impersonate require clear text
    | | | > username/password....
    | | | >
    | | | > #How to configure an ASP.NET application for a delegation scenario
    | | | > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
    | | | >
    | | | > Anyway, delegate authenticated credential multiple hops is not good
    | | ideas
    | | | > since whenever it skip a more hop, the possibility that the context
    | be
    | | | > hacked increate. Also, performance overhead is also involved.
    | | | >
    | | | > Thanks,
    | | | >
    | | | > Steven Cheng
    | | | > Microsoft Online Support
    | | | >
    | | | > Get Secure! www.microsoft.com/security
    | | | > (This posting is provided "AS IS", with no warranties, and confers
    no
    | | | > rights.)
    | | | >
    | | | >
    | | | >
    | | | > --------------------
    | | | > | Thread-Topic: accessing WebService from asp.net App on load
    | balanced
    | | | > Servers
    | | | > | thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
    | | | > | X-WBNR-Posting-Host: 134.134.136.1
    | | | > | From: "=?Utf-8?B?SmFzb24=?=" <>
    | | | > | References: <>
    | | | > <>
    | | | > | Subject: RE: accessing WebService from asp.net App on load
    balanced
    | | | > Servers
    | | | > | Date: Sun, 27 Nov 2005 20:30:02 -0800
    | | | > | Lines: 120
    | | | > | Message-ID: <>
    | | | > | MIME-Version: 1.0
    | | | > | Content-Type: text/plain;
    | | | > | charset="Utf-8"
    | | | > | Content-Transfer-Encoding: 7bit
    | | | > | X-Newsreader: Microsoft CDO for Windows 2000
    | | | > | Content-Class: urn:content-classes:message
    | | | > | Importance: normal
    | | | > | Priority: normal
    | | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | | | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | | | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | | | > | Path:
    | | TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | | | > | Xref: TK2MSFTNGXA02.phx.gbl
    | | | > microsoft.public.dotnet.framework.aspnet.security:16434
    | | | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | | | > |
    | | | > | Steven,
    | | | > |
    | | | > | Thanks for your response. Unfortunately landing the web service
    on
    | | the
    | | | > same
    | | | > | server as the asp.net application is not an option. Neither is
    | using
    | | a
    | | | > | hardcoded ID as the web service recognizes the user and sets the
    | | response
    | | | > | appropriately. I am amazed that there is no other option. Does
    the
    | | 2.0
    | | | > | framework change anything? I have tried to create an assembly
    using
    | | | > | EnterpriseServices to handle the impersonation also but it still
    | will
    | | not
    | | | > | send the users credentials.. Can you confirm with your colleages
    if
    | | this
    | | | > is
    | | | > | possible with the current framework? or not? This problem seems
    to
    | | remove
    | | | > the
    | | | > | benefit of using a Web Service for the back end data provider...
    | | | > |
    | | | > | Thanks
    | | | > | Jason
    | | | > |
    | | | > |
    | | | > | "Steven Cheng[MSFT]" wrote:
    | | | > |
    | | | > | > Hi Jason,
    | | | > | >
    | | | > | > Welcome to asp.net newsgroup.
    | | | > | > From your description,you're accessing an ASP.NET webservice
    from
    | | an
    | | | > | > asp.net webapplication, the the web application
    | | | > | > turn on impesonate so as to use the client user's credential
    to
    | | access
    | | | > the
    | | | > | > webservice(authenticated protected...)
    | | | > | > However, he found that this worked only when the webservice is
    on
    | | the
    | | | > same
    | | | > | > machine with the web applicaiton...
    | | | > | > Elsewise, you'll get 401 error, yes?
    | | | > | >
    | | | > | > Based on my experience, this problem is caused by the
    limitation
    | of
    | | | > normal
    | | | > | > windows NTLM authentication's generated logon session. By
    default
    | | the
    | | | > | > asp.net implicit impersonated client logon session are network
    | | logon
    | | | > | > sessions, they have not network credentials. So it is ok for
    | | accessing
    | | | > | > protected resources on the same box (with the asp.net web
    | | | > application...),
    | | | > | > however, when try accessing some remote protected resources...
    | | we'll
    | | | > get
    | | | > | > access error since no security credential is sent (network
    logon
    | on
    | | | > session
    | | | > | > can not be forwarded to remote machine...). This is a typical
    | | double
    | | | > hop
    | | | > | > limit...
    | | | > | >
    | | | > | > So as for your scenario, the most recommended and simplest
    means
    | is
    | | to
    | | | > use
    | | | > | > a fixed privileged account to access the remote webservice in
    | your
    | | | > asp.net
    | | | > | > web application (avoid using the implict impersonated client
    | user's
    | | | > | > credential....). Or you can consider still maintain the
    | webservice
    | | on
    | | | > the
    | | | > | > same server with the asp.net web app....
    | | | > | > And for the Kerberos you mentioned, yes, it is possible to
    | | configure
    | | | > | > kerberos delegation between client and our asp.net
    webapplication
    | | so as
    | | | > to
    | | | > | > establish kerberos ticket which can be forwarded to multiple
    | remote
    | | | > | > machine(mulitple hops...), but using kerberos delegation may
    | | require
    | | | > | > complex configuration on both client side (browser ) and
    | serverside
    | |
    | | | > | > (including asp.net web app's server and webservice's server ,
    | also
    | | the
    | | | > | > win2k or win2003 domain.....), so we do not recommend using
    this
    | | | > approach
    | | | > | > ......
    | | | > | >
    | | | > | > Thanks,
    | | | > | >
    | | | > | > Steven Cheng
    | | | > | > Microsoft Online Support
    | | | > | >
    | | | > | > Get Secure! www.microsoft.com/security
    | | | > | > (This posting is provided "AS IS", with no warranties, and
    | confers
    | | no
    | | | > | > rights.)
    | | | > | >
    | | | > | > --------------------
    | | | > | > | Thread-Topic: accessing WebService from asp.net App on load
    | | balanced
    | | | > | > Servers
    | | | > | > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
    | | | > | > | X-WBNR-Posting-Host: 134.134.136.1
    | | | > | > | From: "=?Utf-8?B?SmFzb24=?=" <>
    | | | > | > | Subject: accessing WebService from asp.net App on load
    balanced
    | | | > Servers
    | | | > | > | Date: Sun, 27 Nov 2005 00:38:01 -0800
    | | | > | > | Lines: 19
    | | | > | > | Message-ID:
    <>
    | | | > | > | MIME-Version: 1.0
    | | | > | > | Content-Type: text/plain;
    | | | > | > | charset="Utf-8"
    | | | > | > | Content-Transfer-Encoding: 7bit
    | | | > | > | X-Newsreader: Microsoft CDO for Windows 2000
    | | | > | > | Content-Class: urn:content-classes:message
    | | | > | > | Importance: normal
    | | | > | > | Priority: normal
    | | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | | | > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | | | > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | | | > | > | Path:
    | | TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | | | > | > | Xref: TK2MSFTNGXA02.phx.gbl
    | | | > | > microsoft.public.dotnet.framework.aspnet.security:16428
    | | | > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    | | | > | > |
    | | | > | > | Hi,
    | | | > | > |
    | | | > | > | I have an ASP.Net application that retrieves Data from a Web
    | | Service.
    | | | > | > When
    | | | > | > | the Web service resides on the same server I have no problem
    | and
    | | the
    | | | > | > asp.net
    | | | > | > | page functions as expected. I am using impersonation and the
    | | | > credentials
    | | | > | > are
    | | | > | > | being passed to the web service as expected.
    | | | > | > |
    | | | > | > | Now, when the web service resides on a different server the
    | | | > credentials
    | | | > | > are
    | | | > | > | not passed to the webservice and the asp application receives
    a
    | | 401
    | | | > | > Error. I
    | | | > | > | have seen emails about using kerberos but have not been
    | | successful in
    | | | > | > getting
    | | | > | > | it to work. Could this be because I am using Load balanced
    | | servers?
    | | | > | > (Using
    | | | > | > | Application Server) I thought this worked when using Windows
    | 2000
    | | | > Server
    | | | > | > but
    | | | > | > | I am now using Windows 2003 Server. Can you tell me What
    | specific
    | | | > steps I
    | | | > | > | need to take for my asp.net application to function and
    | retrieve
    | | | > content
    | | | > | > from
    | | | > | > | a web service passing the credentials of the original user
    | using
    | | the
    | | | > | > asp.net
    | | | > | > | application??
    | | | > | > | Thanks
    | | | > | > | Jason
    | | | > | > |
    | | | > | > |
    | | | > | >
    | | | > | >
    | | | > |
    | | | >
    | | | >
    | | |
    | |
    | |
    |
    |
    Steven Cheng[MSFT], Dec 2, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Garrek
    Replies:
    3
    Views:
    576
    Bobby Ryzhy
    Jul 12, 2004
  2. Shikari Shambu
    Replies:
    1
    Views:
    298
    bruce barker
    Oct 29, 2004
  3. HK
    Replies:
    0
    Views:
    465
  4. Tim Barton

    Web.config on load balanced servers

    Tim Barton, May 5, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    331
    Tim Barton
    May 12, 2006
  5. 3P
    Replies:
    1
    Views:
    379
    Jason Keats
    Apr 24, 2010
Loading...

Share This Page