Re: WSE 2.0 Kerberostoken creation on IIS 5.0/win2k fails
From: Dominick Baier (dotnet_at_leastprivilege.com)
Date: 01/04/05
- Next message: Sjaak: "ASP.NET and Active Directory Authentication"
- Previous message: rox.scott: "RE: GetProcessesByName() fails intermittantly with Access Denied"
- Maybe in reply to: shikari shambu: "Re: WSE 2.0 Kerberostoken creation on IIS 5.0/win2k fails"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: microsoft.public.dotnet.security Date: Tue, 04 Jan 2005 13:33:07 -0800
On W2K3, your ASP.NET apps run as Network Service by default. This is a special "service account" introduced in 2k3 and XP.
If the machine IIS6 runs on is domain member, network service has machine credentials in the domain and can request ticket (think as server$).
On Windows 2000 - the ASPNET account is a normal local account - no domain membership. You have to change the ASP.NET worker process identity to LOCAL SYSTEM (bad idea) or a domain user to make that work.
---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I will try setting up the asp.net wp as a domain member. But, how is it
that the same code works on Windows 2003 server running IIS 6.0.
Appreciate if you could help me understand the difference.
TIA
Dominick Baier wrote:
> so how do you want to request a kerberos token if you are not a
domain member ??
>
> the asp.net worker process identity must be a domain account then.
you can configure that in the <processmodel> element in machine.config.
>
>
>
> ---
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>
nntp://news.microsoft.com/microsoft.public.dotnet.security/<1104437301.040317.127520@c13g2000cwb.googlegroups.com>
>
> No, I am using the default accounts. ASPNET for the ASP.NET worker
> process and IUSR for the anon access for IIS.
>
> TIA
>
> Dominick Baier wrote:
> > does your asp.net app run as a domain user?
> >
> > ---
> > Dominick Baier - DevelopMentor
> > http://www.leastprivilege.com
> >
> >
>
nntp://news.microsoft.com/microsoft.public.dotnet.security/
> >
> > Hi,
> > I have a ASP.NET web app in which I am trying to create a Kerberos
> token
> > using the following code.
> >
> > Microsoft.Web.Services2.Security.Tokens.KerberosToken kt = new
> > Microsoft.Web.Services2.Security.Tokens.KerberosToken("host/" +
> > ConfigurationSettings.AppSettings["ws-host"]);
> >
> > This in turn returns
> >
> > The Kerberos credential handle could not be acquired. The
> > AcquireCredentialsHandle call returned the following error code: A
> specified
> > logon session does not exist. It may already have been terminated
> >
> > Note that the same code works in Windows 2003 server with IIS 6.
> >
> > .NET framework version 1.1
> >
> > Any help is greatly appreciated.
> >
> > TIA
> >
> >
> >
> > [microsoft.public.dotnet.security]
>
>
> [microsoft.public.dotnet.security]
[microsoft.public.dotnet.security]
Relevant Pages
... However, network service and local service have very similar sets of permissions, so they should represent a fairly equal trade in terms of using a low privileged service account. ... When you install SQL Server and specify a domain account for the mssqlserver service, are you saying setup doesn't configure the spn's? ... The reason for this is that when SQL is installed and configured to be run under either Network Service or System, the installer will actually add the appropriate Kerb SPNs to the domain computer account. ...
(microsoft.public.windows.server.active_directory)
... NETWORK SERVICE is a built-in account introduced as of WinXP that it used to ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... AD, authentication is not required by default, so if you accidentally ...
(microsoft.public.dotnet.security)
... Network Service is the default> account that is used and it is not an Administrator level account by default> and probably doesn't have permission to access the file. ... > "Paul Bergson" wrote in message ... This is even if I use the account impersonation. ...
(microsoft.public.dotnet.framework.aspnet)
... Network Service account, will it have access to other server services ... The scenario is that I have created a web service to query a specified ... on the same domain and all the services are running as Network Service ...
(microsoft.public.security)
... It is running on a domain member. ... I have code that is creating a user, then sets the account ... Binder binder, Object target, ... You could add the IIS server machine to the login domain, if this isn't possible, you have ...
(microsoft.public.dotnet.languages.csharp)
