RE: accessing WebService from asp.net App on load balanced Servers
From: Steven Cheng[MSFT] (stcheng_at_online.microsoft.com)
Date: 11/29/05
- Previous message: Jason: "RE: accessing WebService from asp.net App on load balanced Servers"
- In reply to: Jason: "RE: accessing WebService from asp.net App on load balanced Servers"
- Next in thread: Dominick Baier [DevelopMentor]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Reply: Dominick Baier [DevelopMentor]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Nov 2005 11:34:27 GMT
Thanks for your response Jason,
Yes, if you're able to successfully implement the kerberos authentication
configuration from the client (browser side....) to your web server and
the remote webservice server (all in the same 2000 or 2003 domain or
trusted domain...), and all the user accounts meet the requirement, the
kerberos token can be forwared from webserver to remote webservice server...
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| Thread-Topic: accessing WebService from asp.net App on load balanced
Servers
| thread-index: AcX0iRkP/iqm3QbgRIq9MZI1zHBZxA==
| X-WBNR-Posting-Host: 134.134.136.2
| From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
| References: <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
<KgY1YN88FHA.3764@TK2MSFTNGXA02.phx.gbl>
<17AB6F58-73DB-47FF-8131-73BE27A70750@microsoft.com>
<rfjBVRI9FHA.1240@TK2MSFTNGXA02.phx.gbl>
| Subject: RE: accessing WebService from asp.net App on load balanced
Servers
| Date: Mon, 28 Nov 2005 18:03:31 -0800
| Lines: 210
| Message-ID: <AF863CDB-AC4F-44C1-9679-FD5AEF4F849D@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:16453
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Would Constrained Delegation not give me a solution here? This is an
Intranet
| application and my undertstanding of constrained delegation is that the
| Original user impersonation will carry through to the back end server??
|
| "Steven Cheng[MSFT]" wrote:
|
| > Thanks for your response Jason,
| >
| > Actually, this limit is due to the windows NTLM authentication which
dosn't
| > allow an authenticated logon session to double hop multpile machines.
So
| > the client implicit impersonated credential can only access asp.net
| > server's protected resource but not another remote machine... In
| > addition to kerberos delegation (which require all the computers
involve in
| > the application's process stream be configured correctly.....),
another
| > apprach is we programmatically impersonate the client user, such
| > programmatic imperosated session will also be remotable to other
machines.
| > However, programatically impersonate require clear text
| > username/password....
| >
| > #How to configure an ASP.NET application for a delegation scenario
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
| >
| > Anyway, delegate authenticated credential multiple hops is not good
ideas
| > since whenever it skip a more hop, the possibility that the context be
| > hacked increate. Also, performance overhead is also involved.
| >
| > Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure! www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| >
| >
| > --------------------
| > | Thread-Topic: accessing WebService from asp.net App on load balanced
| > Servers
| > | thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
| > | X-WBNR-Posting-Host: 134.134.136.1
| > | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
| > | References: <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
| > <KgY1YN88FHA.3764@TK2MSFTNGXA02.phx.gbl>
| > | Subject: RE: accessing WebService from asp.net App on load balanced
| > Servers
| > | Date: Sun, 27 Nov 2005 20:30:02 -0800
| > | Lines: 120
| > | Message-ID: <17AB6F58-73DB-47FF-8131-73BE27A70750@microsoft.com>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA02.phx.gbl
| > microsoft.public.dotnet.framework.aspnet.security:16434
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > |
| > | Steven,
| > |
| > | Thanks for your response. Unfortunately landing the web service on
the
| > same
| > | server as the asp.net application is not an option. Neither is using
a
| > | hardcoded ID as the web service recognizes the user and sets the
response
| > | appropriately. I am amazed that there is no other option. Does the
2.0
| > | framework change anything? I have tried to create an assembly using
| > | EnterpriseServices to handle the impersonation also but it still will
not
| > | send the users credentials.. Can you confirm with your colleages if
this
| > is
| > | possible with the current framework? or not? This problem seems to
remove
| > the
| > | benefit of using a Web Service for the back end data provider...
| > |
| > | Thanks
| > | Jason
| > |
| > |
| > | "Steven Cheng[MSFT]" wrote:
| > |
| > | > Hi Jason,
| > | >
| > | > Welcome to asp.net newsgroup.
| > | > From your description,you're accessing an ASP.NET webservice from
an
| > | > asp.net webapplication, the the web application
| > | > turn on impesonate so as to use the client user's credential to
access
| > the
| > | > webservice(authenticated protected...)
| > | > However, he found that this worked only when the webservice is on
the
| > same
| > | > machine with the web applicaiton...
| > | > Elsewise, you'll get 401 error, yes?
| > | >
| > | > Based on my experience, this problem is caused by the limitation of
| > normal
| > | > windows NTLM authentication's generated logon session. By default
the
| > | > asp.net implicit impersonated client logon session are network
logon
| > | > sessions, they have not network credentials. So it is ok for
accessing
| > | > protected resources on the same box (with the asp.net web
| > application...),
| > | > however, when try accessing some remote protected resources...
we'll
| > get
| > | > access error since no security credential is sent (network logon on
| > session
| > | > can not be forwarded to remote machine...). This is a typical
double
| > hop
| > | > limit...
| > | >
| > | > So as for your scenario, the most recommended and simplest means is
to
| > use
| > | > a fixed privileged account to access the remote webservice in your
| > asp.net
| > | > web application (avoid using the implict impersonated client user's
| > | > credential....). Or you can consider still maintain the webservice
on
| > the
| > | > same server with the asp.net web app....
| > | > And for the Kerberos you mentioned, yes, it is possible to
configure
| > | > kerberos delegation between client and our asp.net webapplication
so as
| > to
| > | > establish kerberos ticket which can be forwarded to multiple remote
| > | > machine(mulitple hops...), but using kerberos delegation may
require
| > | > complex configuration on both client side (browser ) and serverside
| > | > (including asp.net web app's server and webservice's server , also
the
| > | > win2k or win2003 domain.....), so we do not recommend using this
| > approach
| > | > ......
| > | >
| > | > Thanks,
| > | >
| > | > Steven Cheng
| > | > Microsoft Online Support
| > | >
| > | > Get Secure! www.microsoft.com/security
| > | > (This posting is provided "AS IS", with no warranties, and confers
no
| > | > rights.)
| > | >
| > | > --------------------
| > | > | Thread-Topic: accessing WebService from asp.net App on load
balanced
| > | > Servers
| > | > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
| > | > | X-WBNR-Posting-Host: 134.134.136.1
| > | > | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
| > | > | Subject: accessing WebService from asp.net App on load balanced
| > Servers
| > | > | Date: Sun, 27 Nov 2005 00:38:01 -0800
| > | > | Lines: 19
| > | > | Message-ID: <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
| > | > | MIME-Version: 1.0
| > | > | Content-Type: text/plain;
| > | > | charset="Utf-8"
| > | > | Content-Transfer-Encoding: 7bit
| > | > | X-Newsreader: Microsoft CDO for Windows 2000
| > | > | Content-Class: urn:content-classes:message
| > | > | Importance: normal
| > | > | Priority: normal
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | > | Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | > | Xref: TK2MSFTNGXA02.phx.gbl
| > | > microsoft.public.dotnet.framework.aspnet.security:16428
| > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > | > |
| > | > | Hi,
| > | > |
| > | > | I have an ASP.Net application that retrieves Data from a Web
Service.
| > | > When
| > | > | the Web service resides on the same server I have no problem and
the
| > | > asp.net
| > | > | page functions as expected. I am using impersonation and the
| > credentials
| > | > are
| > | > | being passed to the web service as expected.
| > | > |
| > | > | Now, when the web service resides on a different server the
| > credentials
| > | > are
| > | > | not passed to the webservice and the asp application receives a
401
| > | > Error. I
| > | > | have seen emails about using kerberos but have not been
successful in
| > | > getting
| > | > | it to work. Could this be because I am using Load balanced
servers?
| > | > (Using
| > | > | Application Server) I thought this worked when using Windows 2000
| > Server
| > | > but
| > | > | I am now using Windows 2003 Server. Can you tell me What specific
| > steps I
| > | > | need to take for my asp.net application to function and retrieve
| > content
| > | > from
| > | > | a web service passing the credentials of the original user using
the
| > | > asp.net
| > | > | application??
| > | > | Thanks
| > | > | Jason
| > | > |
| > | > |
| > | >
| > | >
| > |
| >
| >
|
- Previous message: Jason: "RE: accessing WebService from asp.net App on load balanced Servers"
- In reply to: Jason: "RE: accessing WebService from asp.net App on load balanced Servers"
- Next in thread: Dominick Baier [DevelopMentor]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Reply: Dominick Baier [DevelopMentor]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
