Re: Performance issues With Impersonation and Delegation

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 23 Oct 2006 21:40:11 -0500

Typically, you don't get Kerberos auth because the name you are using to
access the remote service doesn't have a matching SPN associated with the
service account that is running the service. I always start there.
Sometimes with IIS-based services, Kerb has actually been disabled in the
metabase. You can discover this if the www-authenticate head returned by
the server challenge only says NTLM instead of Negotiate. If that is the
case, there is a metabase property you have to change to make it return
Negotiate.

Start with the SPNs though. They are all stored in AD. You can find the
service account in AD with an LDAP query and return its servicePrincipalName
attribute to see what SPNs are registered.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Bill Ward" <bill@xxxxxxxxxxxxxxx> wrote in message
news:uHt92hv9GHA.4376@xxxxxxxxxxxxxxxxxxxxxxx

I'm back to looking at this issue. Joe, you seem to be correct. I am
seeing no traffic on port 88.
I enabled Kerberos logging on the web service server and now for every web
service call I can see an event about about assigning special priviliges
to the new login (presumably this is the impersonation?) followed by an
NTLM authentication event.
So, the question is, how do I get Kerberos authentication to take
precedence aver NTLM authentication? Do I need to set other parameters on
the web service or do I need to make some changes to the client code? All
I do at the moment on the client is set the Url property of the Web
Service proxy and then the Credentials property to
System.Net.CredentialCache.DefaultCredentials or DefaultNetworkCredentials
(both seem to create identical network traffic).
Thanks
Bill W.

References:
- Performance issues With Impersonation and Delegation
  - From: Bill Ward
- Re: Performance issues With Impersonation and Delegation
  - From: Joe Kaplan
- Re: Performance issues With Impersonation and Delegation
  - From: Bill Ward

Prev by Date: Re: Performance issues With Impersonation and Delegation
Next by Date: Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
Previous by thread: Re: Performance issues With Impersonation and Delegation
Next by thread: Using two membership providers
Index(es):
- Date
- Thread

Relevant Pages

Re: iis 5.0 running as domain account
... You need SPNs when you are doing Kerberos auth always. ... can't stop/start the remote service from the web service code. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Webservice To Add User Accounts
... Also make sure that your first hop from the client to the web service is ... is authenticated using kerberos or NTLM. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: WSE 3.0, SoapReceiver and Kerberos encryption
... you can use Kerberos security. ... web service. ... The client is running as a domain user and the service is running ... <response signatureOptions="IncludeAddressing, IncludeTimestamp, ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: WSE 2 and impersonation
... If you are looking to create an interoperable web service, ... For our particular solution, Kerberos is ... >> a Kerberos ticket that allows the Web service consumer (running on ... >> When the message is received by WSE, ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: kerberos!
... >no trust btw, they are simply using sam IP addresses range) ... > Administrator account has same password on both ADs. ... In fact this is related to SPNs: if you would use Kerberos authentication you should manually register SPNs for the services you want to connect to. ...
(NT-Bugtraq)