RE: accessing WebService from asp.net App on load balanced Servers
From: Steven Cheng[MSFT] (stcheng_at_online.microsoft.com)
Date: 11/29/05
- Previous message: MR: "Re: web service security w/ mixed mode auth - seeking advice"
- In reply to: Jason: "RE: accessing WebService from asp.net App on load balanced Servers"
- Next in thread: Jason: "RE: accessing WebService from asp.net App on load balanced Servers"
- Reply: Jason: "RE: accessing WebService from asp.net App on load balanced Servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Nov 2005 01:29:12 GMT
Thanks for your response Jason,
Actually, this limit is due to the windows NTLM authentication which dosn't
allow an authenticated logon session to double hop multpile machines. So
the client implicit impersonated credential can only access asp.net
server's protected resource but not another remote machine... In
addition to kerberos delegation (which require all the computers involve in
the application's process stream be configured correctly.....), another
apprach is we programmatically impersonate the client user, such
programmatic imperosated session will also be remotable to other machines.
However, programatically impersonate require clear text
username/password....
#How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
Anyway, delegate authenticated credential multiple hops is not good ideas
since whenever it skip a more hop, the possibility that the context be
hacked increate. Also, performance overhead is also involved.
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| Thread-Topic: accessing WebService from asp.net App on load balanced
Servers
| thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
| X-WBNR-Posting-Host: 134.134.136.1
| From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
| References: <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
<KgY1YN88FHA.3764@TK2MSFTNGXA02.phx.gbl>
| Subject: RE: accessing WebService from asp.net App on load balanced
Servers
| Date: Sun, 27 Nov 2005 20:30:02 -0800
| Lines: 120
| Message-ID: <17AB6F58-73DB-47FF-8131-73BE27A70750@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:16434
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Steven,
|
| Thanks for your response. Unfortunately landing the web service on the
same
| server as the asp.net application is not an option. Neither is using a
| hardcoded ID as the web service recognizes the user and sets the response
| appropriately. I am amazed that there is no other option. Does the 2.0
| framework change anything? I have tried to create an assembly using
| EnterpriseServices to handle the impersonation also but it still will not
| send the users credentials.. Can you confirm with your colleages if this
is
| possible with the current framework? or not? This problem seems to remove
the
| benefit of using a Web Service for the back end data provider...
|
| Thanks
| Jason
|
|
| "Steven Cheng[MSFT]" wrote:
|
| > Hi Jason,
| >
| > Welcome to asp.net newsgroup.
| > From your description,you're accessing an ASP.NET webservice from an
| > asp.net webapplication, the the web application
| > turn on impesonate so as to use the client user's credential to access
the
| > webservice(authenticated protected...)
| > However, he found that this worked only when the webservice is on the
same
| > machine with the web applicaiton...
| > Elsewise, you'll get 401 error, yes?
| >
| > Based on my experience, this problem is caused by the limitation of
normal
| > windows NTLM authentication's generated logon session. By default the
| > asp.net implicit impersonated client logon session are network logon
| > sessions, they have not network credentials. So it is ok for accessing
| > protected resources on the same box (with the asp.net web
application...),
| > however, when try accessing some remote protected resources... we'll
get
| > access error since no security credential is sent (network logon on
session
| > can not be forwarded to remote machine...). This is a typical double
hop
| > limit...
| >
| > So as for your scenario, the most recommended and simplest means is to
use
| > a fixed privileged account to access the remote webservice in your
asp.net
| > web application (avoid using the implict impersonated client user's
| > credential....). Or you can consider still maintain the webservice on
the
| > same server with the asp.net web app....
| > And for the Kerberos you mentioned, yes, it is possible to configure
| > kerberos delegation between client and our asp.net webapplication so as
to
| > establish kerberos ticket which can be forwarded to multiple remote
| > machine(mulitple hops...), but using kerberos delegation may require
| > complex configuration on both client side (browser ) and serverside
| > (including asp.net web app's server and webservice's server , also the
| > win2k or win2003 domain.....), so we do not recommend using this
approach
| > ......
| >
| > Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure! www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| > --------------------
| > | Thread-Topic: accessing WebService from asp.net App on load balanced
| > Servers
| > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
| > | X-WBNR-Posting-Host: 134.134.136.1
| > | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
| > | Subject: accessing WebService from asp.net App on load balanced
Servers
| > | Date: Sun, 27 Nov 2005 00:38:01 -0800
| > | Lines: 19
| > | Message-ID: <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA02.phx.gbl
| > microsoft.public.dotnet.framework.aspnet.security:16428
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > |
| > | Hi,
| > |
| > | I have an ASP.Net application that retrieves Data from a Web Service.
| > When
| > | the Web service resides on the same server I have no problem and the
| > asp.net
| > | page functions as expected. I am using impersonation and the
credentials
| > are
| > | being passed to the web service as expected.
| > |
| > | Now, when the web service resides on a different server the
credentials
| > are
| > | not passed to the webservice and the asp application receives a 401
| > Error. I
| > | have seen emails about using kerberos but have not been successful in
| > getting
| > | it to work. Could this be because I am using Load balanced servers?
| > (Using
| > | Application Server) I thought this worked when using Windows 2000
Server
| > but
| > | I am now using Windows 2003 Server. Can you tell me What specific
steps I
| > | need to take for my asp.net application to function and retrieve
content
| > from
| > | a web service passing the credentials of the original user using the
| > asp.net
| > | application??
| > | Thanks
| > | Jason
| > |
| > |
| >
| >
|
- Previous message: MR: "Re: web service security w/ mixed mode auth - seeking advice"
- In reply to: Jason: "RE: accessing WebService from asp.net App on load balanced Servers"
- Next in thread: Jason: "RE: accessing WebService from asp.net App on load balanced Servers"
- Reply: Jason: "RE: accessing WebService from asp.net App on load balanced Servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
