Re: Performance issues With Impersonation and Delegation

Typically, you don't get Kerberos auth because the name you are using to
access the remote service doesn't have a matching SPN associated with the
service account that is running the service. I always start there.
Sometimes with IIS-based services, Kerb has actually been disabled in the
metabase. You can discover this if the www-authenticate head returned by
the server challenge only says NTLM instead of Negotiate. If that is the
case, there is a metabase property you have to change to make it return

Start with the SPNs though. They are all stored in AD. You can find the
service account in AD with an LDAP query and return its servicePrincipalName
attribute to see what SPNs are registered.

Joe K.

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
"Bill Ward" <bill@xxxxxxxxxxxxxxx> wrote in message
I'm back to looking at this issue. Joe, you seem to be correct. I am
seeing no traffic on port 88.
I enabled Kerberos logging on the web service server and now for every web
service call I can see an event about about assigning special priviliges
to the new login (presumably this is the impersonation?) followed by an
NTLM authentication event.
So, the question is, how do I get Kerberos authentication to take
precedence aver NTLM authentication? Do I need to set other parameters on
the web service or do I need to make some changes to the client code? All
I do at the moment on the client is set the Url property of the Web
Service proxy and then the Credentials property to
System.Net.CredentialCache.DefaultCredentials or DefaultNetworkCredentials
(both seem to create identical network traffic).
Bill W.


Relevant Pages

  • Re: iis 5.0 running as domain account
    ... You need SPNs when you are doing Kerberos auth always. ... can't stop/start the remote service from the web service code. ...
  • Re: Webservice To Add User Accounts
    ... Also make sure that your first hop from the client to the web service is ... is authenticated using kerberos or NTLM. ...
  • Re: WSE 2 and impersonation
    ... If you are looking to create an interoperable web service, ... For our particular solution, Kerberos is ... >> a Kerberos ticket that allows the Web service consumer (running on ... >> When the message is received by WSE, ...
  • Re: WSE 3.0, SoapReceiver and Kerberos encryption
    ... you can use Kerberos security. ... web service. ... The client is running as a domain user and the service is running ... <response signatureOptions="IncludeAddressing, IncludeTimestamp, ...
  • Re: kerberos!
    ... >no trust btw, they are simply using sam IP addresses range) ... > Administrator account has same password on both ADs. ... In fact this is related to SPNs: if you would use Kerberos authentication you should manually register SPNs for the services you want to connect to. ...