RE: accessing WebService from asp.net App on load balanced Servers
From: Jason (JRawlins_at_noemail.nospam)
Date: 11/29/05
- Next message: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Previous message: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- In reply to: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Next in thread: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Reply: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Nov 2005 18:03:31 -0800
Would Constrained Delegation not give me a solution here? This is an Intranet
application and my undertstanding of constrained delegation is that the
Original user impersonation will carry through to the back end server??
"Steven Cheng[MSFT]" wrote:
> Thanks for your response Jason,
>
> Actually, this limit is due to the windows NTLM authentication which dosn't
> allow an authenticated logon session to double hop multpile machines. So
> the client implicit impersonated credential can only access asp.net
> server's protected resource but not another remote machine... In
> addition to kerberos delegation (which require all the computers involve in
> the application's process stream be configured correctly.....), another
> apprach is we programmatically impersonate the client user, such
> programmatic imperosated session will also be remotable to other machines.
> However, programatically impersonate require clear text
> username/password....
>
> #How to configure an ASP.NET application for a delegation scenario
> http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
>
> Anyway, delegate authenticated credential multiple hops is not good ideas
> since whenever it skip a more hop, the possibility that the context be
> hacked increate. Also, performance overhead is also involved.
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
>
> --------------------
> | Thread-Topic: accessing WebService from asp.net App on load balanced
> Servers
> | thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
> | X-WBNR-Posting-Host: 134.134.136.1
> | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
> | References: <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
> <KgY1YN88FHA.3764@TK2MSFTNGXA02.phx.gbl>
> | Subject: RE: accessing WebService from asp.net App on load balanced
> Servers
> | Date: Sun, 27 Nov 2005 20:30:02 -0800
> | Lines: 120
> | Message-ID: <17AB6F58-73DB-47FF-8131-73BE27A70750@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security:16434
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | Steven,
> |
> | Thanks for your response. Unfortunately landing the web service on the
> same
> | server as the asp.net application is not an option. Neither is using a
> | hardcoded ID as the web service recognizes the user and sets the response
> | appropriately. I am amazed that there is no other option. Does the 2.0
> | framework change anything? I have tried to create an assembly using
> | EnterpriseServices to handle the impersonation also but it still will not
> | send the users credentials.. Can you confirm with your colleages if this
> is
> | possible with the current framework? or not? This problem seems to remove
> the
> | benefit of using a Web Service for the back end data provider...
> |
> | Thanks
> | Jason
> |
> |
> | "Steven Cheng[MSFT]" wrote:
> |
> | > Hi Jason,
> | >
> | > Welcome to asp.net newsgroup.
> | > From your description,you're accessing an ASP.NET webservice from an
> | > asp.net webapplication, the the web application
> | > turn on impesonate so as to use the client user's credential to access
> the
> | > webservice(authenticated protected...)
> | > However, he found that this worked only when the webservice is on the
> same
> | > machine with the web applicaiton...
> | > Elsewise, you'll get 401 error, yes?
> | >
> | > Based on my experience, this problem is caused by the limitation of
> normal
> | > windows NTLM authentication's generated logon session. By default the
> | > asp.net implicit impersonated client logon session are network logon
> | > sessions, they have not network credentials. So it is ok for accessing
> | > protected resources on the same box (with the asp.net web
> application...),
> | > however, when try accessing some remote protected resources... we'll
> get
> | > access error since no security credential is sent (network logon on
> session
> | > can not be forwarded to remote machine...). This is a typical double
> hop
> | > limit...
> | >
> | > So as for your scenario, the most recommended and simplest means is to
> use
> | > a fixed privileged account to access the remote webservice in your
> asp.net
> | > web application (avoid using the implict impersonated client user's
> | > credential....). Or you can consider still maintain the webservice on
> the
> | > same server with the asp.net web app....
> | > And for the Kerberos you mentioned, yes, it is possible to configure
> | > kerberos delegation between client and our asp.net webapplication so as
> to
> | > establish kerberos ticket which can be forwarded to multiple remote
> | > machine(mulitple hops...), but using kerberos delegation may require
> | > complex configuration on both client side (browser ) and serverside
> | > (including asp.net web app's server and webservice's server , also the
> | > win2k or win2003 domain.....), so we do not recommend using this
> approach
> | > ......
> | >
> | > Thanks,
> | >
> | > Steven Cheng
> | > Microsoft Online Support
> | >
> | > Get Secure! www.microsoft.com/security
> | > (This posting is provided "AS IS", with no warranties, and confers no
> | > rights.)
> | >
> | > --------------------
> | > | Thread-Topic: accessing WebService from asp.net App on load balanced
> | > Servers
> | > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
> | > | X-WBNR-Posting-Host: 134.134.136.1
> | > | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
> | > | Subject: accessing WebService from asp.net App on load balanced
> Servers
> | > | Date: Sun, 27 Nov 2005 00:38:01 -0800
> | > | Lines: 19
> | > | Message-ID: <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
> | > | MIME-Version: 1.0
> | > | Content-Type: text/plain;
> | > | charset="Utf-8"
> | > | Content-Transfer-Encoding: 7bit
> | > | X-Newsreader: Microsoft CDO for Windows 2000
> | > | Content-Class: urn:content-classes:message
> | > | Importance: normal
> | > | Priority: normal
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | > | Xref: TK2MSFTNGXA02.phx.gbl
> | > microsoft.public.dotnet.framework.aspnet.security:16428
> | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> | > |
> | > | Hi,
> | > |
> | > | I have an ASP.Net application that retrieves Data from a Web Service.
> | > When
> | > | the Web service resides on the same server I have no problem and the
> | > asp.net
> | > | page functions as expected. I am using impersonation and the
> credentials
> | > are
> | > | being passed to the web service as expected.
> | > |
> | > | Now, when the web service resides on a different server the
> credentials
> | > are
> | > | not passed to the webservice and the asp application receives a 401
> | > Error. I
> | > | have seen emails about using kerberos but have not been successful in
> | > getting
> | > | it to work. Could this be because I am using Load balanced servers?
> | > (Using
> | > | Application Server) I thought this worked when using Windows 2000
> Server
> | > but
> | > | I am now using Windows 2003 Server. Can you tell me What specific
> steps I
> | > | need to take for my asp.net application to function and retrieve
> content
> | > from
> | > | a web service passing the credentials of the original user using the
> | > asp.net
> | > | application??
> | > | Thanks
> | > | Jason
> | > |
> | > |
> | >
> | >
> |
>
>
- Next message: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Previous message: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- In reply to: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Next in thread: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Reply: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
