RE: accessing WebService from asp.net App on load balanced Servers

From: Jason (JRawlins_at_noemail.nospam)
Date: 11/28/05 

Date: Sun, 27 Nov 2005 20:30:02 -0800

Steven,

Thanks for your response. Unfortunately landing the web service on the same
server as the asp.net application is not an option. Neither is using a
hardcoded ID as the web service recognizes the user and sets the response
appropriately. I am amazed that there is no other option. Does the 2.0
framework change anything? I have tried to create an assembly using
EnterpriseServices to handle the impersonation also but it still will not
send the users credentials.. Can you confirm with your colleages if this is
possible with the current framework? or not? This problem seems to remove the
benefit of using a Web Service for the back end data provider...

Thanks
Jason

"Steven Cheng[MSFT]" wrote:

> Hi Jason,
>
> Welcome to asp.net newsgroup.
> From your description,you're accessing an ASP.NET webservice from an
> asp.net webapplication, the the web application
> turn on impesonate so as to use the client user's credential to access the
> webservice(authenticated protected...)
> However, he found that this worked only when the webservice is on the same
> machine with the web applicaiton...
> Elsewise, you'll get 401 error, yes?
>
> Based on my experience, this problem is caused by the limitation of normal
> windows NTLM authentication's generated logon session. By default the
> asp.net implicit impersonated client logon session are network logon
> sessions, they have not network credentials. So it is ok for accessing
> protected resources on the same box (with the asp.net web application...),
> however, when try accessing some remote protected resources... we'll get
> access error since no security credential is sent (network logon on session
> can not be forwarded to remote machine...). This is a typical double hop
> limit...
>
> So as for your scenario, the most recommended and simplest means is to use
> a fixed privileged account to access the remote webservice in your asp.net
> web application (avoid using the implict impersonated client user's
> credential....). Or you can consider still maintain the webservice on the
> same server with the asp.net web app....
> And for the Kerberos you mentioned, yes, it is possible to configure
> kerberos delegation between client and our asp.net webapplication so as to
> establish kerberos ticket which can be forwarded to multiple remote
> machine(mulitple hops...), but using kerberos delegation may require
> complex configuration on both client side (browser ) and serverside
> (including asp.net web app's server and webservice's server , also the
> win2k or win2003 domain.....), so we do not recommend using this approach
> ......
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
> --------------------
> | Thread-Topic: accessing WebService from asp.net App on load balanced
> Servers
> | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
> | X-WBNR-Posting-Host: 134.134.136.1
> | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
> | Subject: accessing WebService from asp.net App on load balanced Servers
> | Date: Sun, 27 Nov 2005 00:38:01 -0800
> | Lines: 19
> | Message-ID: <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security:16428
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | Hi,
> |
> | I have an ASP.Net application that retrieves Data from a Web Service.
> When
> | the Web service resides on the same server I have no problem and the
> asp.net
> | page functions as expected. I am using impersonation and the credentials
> are
> | being passed to the web service as expected.
> |
> | Now, when the web service resides on a different server the credentials
> are
> | not passed to the webservice and the asp application receives a 401
> Error. I
> | have seen emails about using kerberos but have not been successful in
> getting
> | it to work. Could this be because I am using Load balanced servers?
> (Using
> | Application Server) I thought this worked when using Windows 2000 Server
> but
> | I am now using Windows 2003 Server. Can you tell me What specific steps I
> | need to take for my asp.net application to function and retrieve content
> from
> | a web service passing the credentials of the original user using the
> asp.net
> | application??
> | Thanks
> | Jason
> |
> |
>
>

Relevant Pages

  • Passing credentials from ASP.NET website to webservice
    ... I have a problem with passing the default credentials from an ASP.NET web ... The EMM web applications access the MSCRM ... Web services which is part of the MS CRM server setup. ... since both the EMM web application and the web service reside on the same IIS ...
    (microsoft.public.inetserver.iis.security)
  • Re: Server Time Out
    ... could be not passing user credentials to the web service from the client. ... calling a remote server from a web server due to not being able to forward ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • RE: Web Service Implementation Security Question
    ... Server was unable to process ... CompilerParameters parameters, Assembly assembly, Hashtable assemblies) at ... > As for the security problems regarding on using TypedDAtaset in asp.net ... Web Service Implementation Security Question ...
    (microsoft.public.inetserver.iis.security)
  • Re: Pass through credentials to web service
    ... It is the double-hop' limitation of NTLM authentication. ... application server, the server cannot then use those credentials to ... >I have a client application that calls a web service. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Permission Errors
    ... >a domain account so that it can be validated on the win2k server machine. ... However I have discovered that I can deploy the web service to the W2K ... domain server and there it runs with no problems, ... for me to decide that the new XP dev machine is up and usable. ...
    (microsoft.public.dotnet.general)