Re: ServiceClassName for defining WebService SPN



Basically, the service process running the web service also needs
permissions to delegate and you need Kerberos auth to the next service as
well (SQL in this case). Make sure the proper SQL SPNs are registered on
the correct service account in AD. SQL SPNs can be tricky as they usually
require the port component.

You do need to impersonate the authenticated user when making the call to
SQL. I'm not totally sure what the connection string needs to look like for
the SQL connection but I think you have it.

As long as all the service process identities in the chain have permission
to delegate and you have a full kerb auth chain, you should be able to
continue delegating across many hops if you want. It definitely isn't
limited to just two.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Ralf Steinstraesser" <RalfSteinstraesser@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:C6495368-6D3A-4931-8CBD-9B8D68846B06@xxxxxxxxxxxxxxxx
Thanks for your answer, Joe!

Still I am wondering what other plumbing I have to do, to delegate the
User
credentials to the next hop. Lets say the client was able to authenticate
with the webservice over the first hop using Kerberos. What is required by
the webservice to further delegate the user credentials over to the next
server? I posted another thread, which deals with Impersonation and
connection string settings for the 2nd hop for connecting to a database
here
->

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.webservices&mid=dd20c528-bd12-4da2-87fd-d77ca30cecb6&sloc=en-us

Thanks for any input on that.

I looked at your book, which is online also and think about getting a
printed copy. I must admit, that the advanced security issues are fairly
new
to me. But!, I guess that's one of the BIG topics which I will have to
deal
with. Facing more and more growing enterprisewide application usage.
--
Dipl.-Ing. Ralf Steinstraesser
Software Architekt
Bissantz & Company GmbH



"Joe Kaplan" wrote:

It should be HTTP/.

Basically, the plumbing code in System.Net that implements Kerberos
authentication for all different types of web request traffic
(HttpWebRequest, etc.) will build an SPN for the target using the HTTP
service class name, so that's what you should set on your service
accounts
in AD. Also note that System.Net will do a DNS lookup on the name you
use
for the service name and will build the SPN based on the host (A) record
in
DNS for that name. Be careful if you use DNS aliases as you may get
unexpected behavior.

Also remember that the HOST service class is a "wild card" for a variety
of
other different services including HTTP, so if the client specifies an
SPN
of HTTP/hostname, that will match to HTTP/hostname but also to
HOST/hostname
if the HTTP SPN does not exist explicitly. HOST/hostname SPNs are
created
in AD on machine accounts by default when they are joined to the domain
based on the NetBIOS and DNS name of the machine.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Ralf Steinstraesser" <RalfSteinstraesser@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote
in message news:9C01E9AD-CEB6-42F0-A03F-1EFC97D888EE@xxxxxxxxxxxxxxxx
Hi,

I am having difficulties defining a Service Principal Name (SPN) for a
selfwritten .NET webservice. Assuming that all AD delegation settings
are
valid, I am quite clueless on what should be the ServiceClassName for
registering the SPN for the webservice?

Is this the service name tag in the services section, or rather the
contract
of the endpoint tag in the config file of the webservice...

Any help appreciated here.

--
Dipl.-Ing. Ralf Steinstraesser
Software Architekt
Bissantz & Company GmbH






.



Relevant Pages

  • Re: SPN creation
    ... If SQL runs under a different account, then the SPN for SQL with the host name associated with that SQL must be assigned to the fixed service account. ... If there is more than one, Kerb will be attempted and fail. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation problems
    ... There are no SPNs on the machine account. ... did you add an SPN to that service account in AD ... delegate from my web server to the SQL service on the DB server when I ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Delegation problems
    ... I did a search for the SPN and it came back with two ... When the SQL server was initially setup (by a FORMER ... administrator) he used his account as the service account for SQL ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Need help removing duplicate SPN
    ... account established for an spn. ... Kerberos on a sql server. ... Grant this account local admin privileges on the sql server server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ServiceClassName for defining WebService SPN
    ... Still I am wondering what other plumbing I have to do, to delegate the User ... with the webservice over the first hop using Kerberos. ... will build an SPN for the target using the HTTP ... DNS for that name. ...
    (microsoft.public.dotnet.security)