RE: accessing WebService from asp.net App on load balanced Servers

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 11/29/05


Date: Tue, 29 Nov 2005 07:05:05 -0800

Hello Steven Cheng[MSFT],

and if you wonder how that works, have a look at:
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Thanks for your response Jason,
>
> Yes, if you're able to successfully implement the kerberos
> authentication configuration from the client (browser side....) to
> your web server and the remote webservice server (all in the same 2000
> or 2003 domain or trusted domain...), and all the user accounts meet
> the requirement, the kerberos token can be forwared from webserver to
> remote webservice server...
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
> --------------------
> | Thread-Topic: accessing WebService from asp.net App on load balanced
> Servers
> | thread-index: AcX0iRkP/iqm3QbgRIq9MZI1zHBZxA==
> | X-WBNR-Posting-Host: 134.134.136.2
> | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
> | References: <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
> <KgY1YN88FHA.3764@TK2MSFTNGXA02.phx.gbl>
> <17AB6F58-73DB-47FF-8131-73BE27A70750@microsoft.com>
> <rfjBVRI9FHA.1240@TK2MSFTNGXA02.phx.gbl>
> | Subject: RE: accessing WebService from asp.net App on load balanced
> Servers
> | Date: Mon, 28 Nov 2005 18:03:31 -0800
> | Lines: 210
> | Message-ID: <AF863CDB-AC4F-44C1-9679-FD5AEF4F849D@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path:
> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA02.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security:16453
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | Would Constrained Delegation not give me a solution here? This is an
> Intranet
> | application and my undertstanding of constrained delegation is that
> the
> | Original user impersonation will carry through to the back end
> server??
> |
> | "Steven Cheng[MSFT]" wrote:
> |
> | > Thanks for your response Jason,
> | >
> | > Actually, this limit is due to the windows NTLM authentication
> which
> dosn't
> | > allow an authenticated logon session to double hop multpile
> machines.
> So
> | > the client implicit impersonated credential can only access
> asp.net
> | > server's protected resource but not another remote machine...
> In
> | > addition to kerberos delegation (which require all the computers
> involve in
> | > the application's process stream be configured correctly.....),
> another
> | > apprach is we programmatically impersonate the client user, such
> | > programmatic imperosated session will also be remotable to other
> machines.
> | > However, programatically impersonate require clear text
> | > username/password....
> | >
> | > #How to configure an ASP.NET application for a delegation scenario
> | > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
> | >
> | > Anyway, delegate authenticated credential multiple hops is not
> good
> ideas
> | > since whenever it skip a more hop, the possibility that the
> context be
> | > hacked increate. Also, performance overhead is also involved.
> | >
> | > Thanks,
> | >
> | > Steven Cheng
> | > Microsoft Online Support
> | >
> | > Get Secure! www.microsoft.com/security
> | > (This posting is provided "AS IS", with no warranties, and confers
> no
> | > rights.)
> | >
> | >
> | >
> | > --------------------
> | > | Thread-Topic: accessing WebService from asp.net App on load
> balanced
> | > Servers
> | > | thread-index: AcXz1GaMvzInGwjYToWaojb031lHHQ==
> | > | X-WBNR-Posting-Host: 134.134.136.1
> | > | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
> | > | References:
> <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
> | > <KgY1YN88FHA.3764@TK2MSFTNGXA02.phx.gbl>
> | > | Subject: RE: accessing WebService from asp.net App on load
> balanced
> | > Servers
> | > | Date: Sun, 27 Nov 2005 20:30:02 -0800
> | > | Lines: 120
> | > | Message-ID: <17AB6F58-73DB-47FF-8131-73BE27A70750@microsoft.com>
> | > | MIME-Version: 1.0
> | > | Content-Type: text/plain;
> | > | charset="Utf-8"
> | > | Content-Transfer-Encoding: 7bit
> | > | X-Newsreader: Microsoft CDO for Windows 2000
> | > | Content-Class: urn:content-classes:message
> | > | Importance: normal
> | > | Priority: normal
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | > | Path:
> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | > | Xref: TK2MSFTNGXA02.phx.gbl
> | > microsoft.public.dotnet.framework.aspnet.security:16434
> | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> | > |
> | > | Steven,
> | > |
> | > | Thanks for your response. Unfortunately landing the web service
> on
> the
> | > same
> | > | server as the asp.net application is not an option. Neither is
> using
> a
> | > | hardcoded ID as the web service recognizes the user and sets the
> response
> | > | appropriately. I am amazed that there is no other option. Does
> the
> 2.0
> | > | framework change anything? I have tried to create an assembly
> using
> | > | EnterpriseServices to handle the impersonation also but it still
> will
> not
> | > | send the users credentials.. Can you confirm with your colleages
> if
> this
> | > is
> | > | possible with the current framework? or not? This problem seems
> to
> remove
> | > the
> | > | benefit of using a Web Service for the back end data provider...
> | > |
> | > | Thanks
> | > | Jason
> | > |
> | > |
> | > | "Steven Cheng[MSFT]" wrote:
> | > |
> | > | > Hi Jason,
> | > | >
> | > | > Welcome to asp.net newsgroup.
> | > | > From your description,you're accessing an ASP.NET webservice
> from
> an
> | > | > asp.net webapplication, the the web application
> | > | > turn on impesonate so as to use the client user's credential
> to
> access
> | > the
> | > | > webservice(authenticated protected...)
> | > | > However, he found that this worked only when the webservice is
> on
> the
> | > same
> | > | > machine with the web applicaiton...
> | > | > Elsewise, you'll get 401 error, yes?
> | > | >
> | > | > Based on my experience, this problem is caused by the
> limitation of
> | > normal
> | > | > windows NTLM authentication's generated logon session. By
> default
> the
> | > | > asp.net implicit impersonated client logon session are network
> logon
> | > | > sessions, they have not network credentials. So it is ok for
> accessing
> | > | > protected resources on the same box (with the asp.net web
> | > application...),
> | > | > however, when try accessing some remote protected resources...
> we'll
> | > get
> | > | > access error since no security credential is sent (network
> logon on
> | > session
> | > | > can not be forwarded to remote machine...). This is a typical
> double
> | > hop
> | > | > limit...
> | > | >
> | > | > So as for your scenario, the most recommended and simplest
> means is
> to
> | > use
> | > | > a fixed privileged account to access the remote webservice in
> your
> | > asp.net
> | > | > web application (avoid using the implict impersonated client
> user's
> | > | > credential....). Or you can consider still maintain the
> webservice
> on
> | > the
> | > | > same server with the asp.net web app....
> | > | > And for the Kerberos you mentioned, yes, it is possible to
> configure
> | > | > kerberos delegation between client and our asp.net
> webapplication
> so as
> | > to
> | > | > establish kerberos ticket which can be forwarded to multiple
> remote
> | > | > machine(mulitple hops...), but using kerberos delegation may
> require
> | > | > complex configuration on both client side (browser ) and
> serverside
> | > | > (including asp.net web app's server and webservice's server ,
> also
> the
> | > | > win2k or win2003 domain.....), so we do not recommend using
> this
> | > approach
> | > | > ......
> | > | >
> | > | > Thanks,
> | > | >
> | > | > Steven Cheng
> | > | > Microsoft Online Support
> | > | >
> | > | > Get Secure! www.microsoft.com/security
> | > | > (This posting is provided "AS IS", with no warranties, and
> confers
> no
> | > | > rights.)
> | > | >
> | > | > --------------------
> | > | > | Thread-Topic: accessing WebService from asp.net App on load
> balanced
> | > | > Servers
> | > | > | thread-index: AcXzLeCUpK/csZhpRky0PT9rpnnVbw==
> | > | > | X-WBNR-Posting-Host: 134.134.136.1
> | > | > | From: "=?Utf-8?B?SmFzb24=?=" <JRawlins@noemail.nospam>
> | > | > | Subject: accessing WebService from asp.net App on load
> balanced
> | > Servers
> | > | > | Date: Sun, 27 Nov 2005 00:38:01 -0800
> | > | > | Lines: 19
> | > | > | Message-ID:
> <9EC26BC7-5C41-413E-AE97-F6CED93549A9@microsoft.com>
> | > | > | MIME-Version: 1.0
> | > | > | Content-Type: text/plain;
> | > | > | charset="Utf-8"
> | > | > | Content-Transfer-Encoding: 7bit
> | > | > | X-Newsreader: Microsoft CDO for Windows 2000
> | > | > | Content-Class: urn:content-classes:message
> | > | > | Importance: normal
> | > | > | Priority: normal
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | > | > | Newsgroups:
> microsoft.public.dotnet.framework.aspnet.security
> | > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | > | > | Path:
> TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | > | > | Xref: TK2MSFTNGXA02.phx.gbl
> | > | > microsoft.public.dotnet.framework.aspnet.security:16428
> | > | > | X-Tomcat-NG:
> microsoft.public.dotnet.framework.aspnet.security
> | > | > |
> | > | > | Hi,
> | > | > |
> | > | > | I have an ASP.Net application that retrieves Data from a Web
> Service.
> | > | > When
> | > | > | the Web service resides on the same server I have no problem
> and
> the
> | > | > asp.net
> | > | > | page functions as expected. I am using impersonation and the
> | > credentials
> | > | > are
> | > | > | being passed to the web service as expected.
> | > | > |
> | > | > | Now, when the web service resides on a different server the
> | > credentials
> | > | > are
> | > | > | not passed to the webservice and the asp application
> receives a
> 401
> | > | > Error. I
> | > | > | have seen emails about using kerberos but have not been
> successful in
> | > | > getting
> | > | > | it to work. Could this be because I am using Load balanced
> servers?
> | > | > (Using
> | > | > | Application Server) I thought this worked when using Windows
> 2000
> | > Server
> | > | > but
> | > | > | I am now using Windows 2003 Server. Can you tell me What
> specific
> | > steps I
> | > | > | need to take for my asp.net application to function and
> retrieve
> | > content
> | > | > from
> | > | > | a web service passing the credentials of the original user
> using
> the
> | > | > asp.net
> | > | > | application??
> | > | > | Thanks
> | > | > | Jason
> | > | > |
> | > | > |
> | > | >
> | > | >
> | > |
> | >
> | >
> |



Relevant Pages

  • Re: Use ssh key to acquire TGT?
    ... process that takes a single password and gets multiple tickets from it. ... even if some of the servers don't use kerberos. ... keytab file to obtain AFS tickets automatically at sucessful login. ...
    (comp.protocols.kerberos)
  • Re: Using Kerberos in Windows 2000 Clustering
    ... Windows 2003 servers drop down to using LAN Manger authentication for ... the information about the cluster’s use of Kerberos and LM isn’t ... client can use this authentication method. ... Does the cluster software also drop down to using LM or will ...
    (microsoft.public.windows.server.clustering)
  • Re: HELP, I cannot figure this one out.......
    ... Make sure that w32time is running on all the servers and that one of them ... > Logon Failure: ... > Logon Process: Kerberos ... > Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Slow Logon Issue
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... It was not a port issue rather kerberos ... "There are currently no logon servers available to service the logon ...
    (microsoft.public.windows.server.active_directory)
  • Re: NTP authentication using kerberos
    ... Is it possible to use kerberos in authentication with an ntp server? ... In the handbook regarding kerberos (and nearly every other ... And so far I have only found simple key authentication similar to dhcp ... It's good for NTP servers, ...
    (freebsd-questions)