RE: accessing WebService from asp.net App on load balanced Servers
From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 11/29/05
- Previous message: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- In reply to: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Nov 2005 07:05:05 -0800
Hello Steven Cheng[MSFT],
and if you wonder how that works, have a look at:
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
> Thanks for your response Jason,
>
> Yes, if you're able to successfully implement the kerberos
> authentication configuration from the client (browser side....) to
> your web server and the remote webservice server (all in the same 2000
> or 2003 domain or trusted domain...), and all the user accounts meet
> the requirement, the kerberos token can be forwared from webserver to
> remote webservice server...
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
> --------------------
> | Thread-Topic: accessing WebService from asp.net App on load balanced
> Servers
> | thread-index: AcX0iRkP/iqm3QbgRIq9MZI1zHBZxA==
> | X-WBNR-Posting-Host: 134.134.136.2
> | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
> | References: <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
> <KgY1YN88FHA.3764@TK2MSFTNGXA02.phx.gbl>
> <17AB6F58-73DB-47FF-8131-73BE27A70750@microsoft.com>
> <rfjBVRI9FHA.1240@TK2MSFTNGXA02.phx.gbl>
> | Subject: RE: accessing WebService from asp.net App on load balanced
> Servers
> | Date: Mon, 28 Nov 2005 18:03:31 -0800
> | Lines: 210
> | Message-ID: <AF863CDB-AC4F-44C1-9679-FD5AEF4F849D@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path:
> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security:16453
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | Would Constrained Delegation not give me a solution here? This is an
> Intranet
> | application and my undertstanding of constrained delegation is that
> the
> | Original user impersonation will carry through to the back end
> server??
> |
> | "Steven Cheng[MSFT]" wrote:
> |
> | > Thanks for your response Jason,
> | >
> | > Actually, this limit is due to the windows NTLM authentication
> which
> dosn't
> | > allow an authenticated logon session to double hop multpile
> machines.
> So
> | > the client implicit impersonated credential can only access
> asp.net
> | > server's protected resource but not another remote machine...
> In
> | > addition to kerberos delegation (which require all the computers
> involve in
> | > the application's process stream be configured correctly.....),
> another
> | > apprach is we programmatically impersonate the client user, such
> | > programmatic imperosated session will also be remotable to other
> machines.
> | > However, programatically impersonate require clear text
> | > username/password....
> | >
> | > #How to configure an ASP.NET application for a delegation scenario
> | > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
> | >
> | > Anyway, delegate authenticated credential multiple hops is not
> good
> ideas
> | > since whenever it skip a more hop, the possibility that the
> context be
> | > hacked increate. Also, performance overhead is also involved.
> | >
> | > Thanks,
> | >
> | > Steven Cheng
> | > Microsoft Online Support
> | >
> | > Get Secure! www.microsoft.com/security
> | > (This posting is provided "AS IS", with no warranties, and confers
> no
> | > rights.)
> | >
> | >
> | >
> | > --------------------
> | > | Thread-Topic: accessing WebService from asp.net App on load
> balanced
> | > Servers
> | > | thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
> | > | X-WBNR-Posting-Host: 134.134.136.1
> | > | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
> | > | References:
> <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
> | > <KgY1YN88FHA.3764@TK2MSFTNGXA02.phx.gbl>
> | > | Subject: RE: accessing WebService from asp.net App on load
> balanced
> | > Servers
> | > | Date: Sun, 27 Nov 2005 20:30:02 -0800
> | > | Lines: 120
> | > | Message-ID: <17AB6F58-73DB-47FF-8131-73BE27A70750@microsoft.com>
> | > | MIME-Version: 1.0
> | > | Content-Type: text/plain;
> | > | charset="Utf-8"
> | > | Content-Transfer-Encoding: 7bit
> | > | X-Newsreader: Microsoft CDO for Windows 2000
> | > | Content-Class: urn:content-classes:message
> | > | Importance: normal
> | > | Priority: normal
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | > | Path:
> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | > | Xref: TK2MSFTNGXA02.phx.gbl
> | > microsoft.public.dotnet.framework.aspnet.security:16434
> | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> | > |
> | > | Steven,
> | > |
> | > | Thanks for your response. Unfortunately landing the web service
> on
> the
> | > same
> | > | server as the asp.net application is not an option. Neither is
> using
> a
> | > | hardcoded ID as the web service recognizes the user and sets the
> response
> | > | appropriately. I am amazed that there is no other option. Does
> the
> 2.0
> | > | framework change anything? I have tried to create an assembly
> using
> | > | EnterpriseServices to handle the impersonation also but it still
> will
> not
> | > | send the users credentials.. Can you confirm with your colleages
> if
> this
> | > is
> | > | possible with the current framework? or not? This problem seems
> to
> remove
> | > the
> | > | benefit of using a Web Service for the back end data provider...
> | > |
> | > | Thanks
> | > | Jason
> | > |
> | > |
> | > | "Steven Cheng[MSFT]" wrote:
> | > |
> | > | > Hi Jason,
> | > | >
> | > | > Welcome to asp.net newsgroup.
> | > | > From your description,you're accessing an ASP.NET webservice
> from
> an
> | > | > asp.net webapplication, the the web application
> | > | > turn on impesonate so as to use the client user's credential
> to
> access
> | > the
> | > | > webservice(authenticated protected...)
> | > | > However, he found that this worked only when the webservice is
> on
> the
> | > same
> | > | > machine with the web applicaiton...
> | > | > Elsewise, you'll get 401 error, yes?
> | > | >
> | > | > Based on my experience, this problem is caused by the
> limitation of
> | > normal
> | > | > windows NTLM authentication's generated logon session. By
> default
> the
> | > | > asp.net implicit impersonated client logon session are network
> logon
> | > | > sessions, they have not network credentials. So it is ok for
> accessing
> | > | > protected resources on the same box (with the asp.net web
> | > application...),
> | > | > however, when try accessing some remote protected resources...
> we'll
> | > get
> | > | > access error since no security credential is sent (network
> logon on
> | > session
> | > | > can not be forwarded to remote machine...). This is a typical
> double
> | > hop
> | > | > limit...
> | > | >
> | > | > So as for your scenario, the most recommended and simplest
> means is
> to
> | > use
> | > | > a fixed privileged account to access the remote webservice in
> your
> | > asp.net
> | > | > web application (avoid using the implict impersonated client
> user's
> | > | > credential....). Or you can consider still maintain the
> webservice
> on
> | > the
> | > | > same server with the asp.net web app....
> | > | > And for the Kerberos you mentioned, yes, it is possible to
> configure
> | > | > kerberos delegation between client and our asp.net
> webapplication
> so as
> | > to
> | > | > establish kerberos ticket which can be forwarded to multiple
> remote
> | > | > machine(mulitple hops...), but using kerberos delegation may
> require
> | > | > complex configuration on both client side (browser ) and
> serverside
> | > | > (including asp.net web app's server and webservice's server ,
> also
> the
> | > | > win2k or win2003 domain.....), so we do not recommend using
> this
> | > approach
> | > | > ......
> | > | >
> | > | > Thanks,
> | > | >
> | > | > Steven Cheng
> | > | > Microsoft Online Support
> | > | >
> | > | > Get Secure! www.microsoft.com/security
> | > | > (This posting is provided "AS IS", with no warranties, and
> confers
> no
> | > | > rights.)
> | > | >
> | > | > --------------------
> | > | > | Thread-Topic: accessing WebService from asp.net App on load
> balanced
> | > | > Servers
> | > | > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
> | > | > | X-WBNR-Posting-Host: 134.134.136.1
> | > | > | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
> | > | > | Subject: accessing WebService from asp.net App on load
> balanced
> | > Servers
> | > | > | Date: Sun, 27 Nov 2005 00:38:01 -0800
> | > | > | Lines: 19
> | > | > | Message-ID:
> <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
> | > | > | MIME-Version: 1.0
> | > | > | Content-Type: text/plain;
> | > | > | charset="Utf-8"
> | > | > | Content-Transfer-Encoding: 7bit
> | > | > | X-Newsreader: Microsoft CDO for Windows 2000
> | > | > | Content-Class: urn:content-classes:message
> | > | > | Importance: normal
> | > | > | Priority: normal
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | > | > | Newsgroups:
> microsoft.public.dotnet.framework.aspnet.security
> | > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | > | > | Path:
> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | > | > | Xref: TK2MSFTNGXA02.phx.gbl
> | > | > microsoft.public.dotnet.framework.aspnet.security:16428
> | > | > | X-Tomcat-NG:
> microsoft.public.dotnet.framework.aspnet.security
> | > | > |
> | > | > | Hi,
> | > | > |
> | > | > | I have an ASP.Net application that retrieves Data from a Web
> Service.
> | > | > When
> | > | > | the Web service resides on the same server I have no problem
> and
> the
> | > | > asp.net
> | > | > | page functions as expected. I am using impersonation and the
> | > credentials
> | > | > are
> | > | > | being passed to the web service as expected.
> | > | > |
> | > | > | Now, when the web service resides on a different server the
> | > credentials
> | > | > are
> | > | > | not passed to the webservice and the asp application
> receives a
> 401
> | > | > Error. I
> | > | > | have seen emails about using kerberos but have not been
> successful in
> | > | > getting
> | > | > | it to work. Could this be because I am using Load balanced
> servers?
> | > | > (Using
> | > | > | Application Server) I thought this worked when using Windows
> 2000
> | > Server
> | > | > but
> | > | > | I am now using Windows 2003 Server. Can you tell me What
> specific
> | > steps I
> | > | > | need to take for my asp.net application to function and
> retrieve
> | > content
> | > | > from
> | > | > | a web service passing the credentials of the original user
> using
> the
> | > | > asp.net
> | > | > | application??
> | > | > | Thanks
> | > | > | Jason
> | > | > |
> | > | > |
> | > | >
> | > | >
> | > |
> | >
> | >
> |
- Previous message: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- In reply to: Steven Cheng[MSFT]: "RE: accessing WebService from asp.net App on load balanced Servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
