Re: Kerberos ( Web Service)

---

• From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 11 Aug 2006 23:10:04 -0500

---

I'll try to answer inline...

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Anthony Yott" <anthonyyott@xxxxxxxxxxx> wrote in message
news:87F09A10-CA82-4507-886A-0EF4E027E7D6@xxxxxxxxxxxxxxxx

Folks, I posted this on the WSE board as well and I'm posting here just in
case somebody has some ideas.

Scenario
==========================
In my case, the server App is an ASP.NET 2.0 Web Service on Windows 2003
using WSE 3.0 and Kerberos policy. The client will be a ASP.NET 2.0 Web
site
that will be located on either a Win 2000 or Win 2003 machine. The Web
Service and Web Sites will be located on a separate machine in the SAME
domain.

Questions
============================
1.) I know I'm supposed to create an SPN for a domain account and run the
web service under that account in the farm. The question is do I create a
"arbitrary" SPN or do I create a "host" SPN? Can I create both for a
single
Domain account? Should I?

If I know the protocol the service will use, I'll create the
protocol-specific SPN. In this case, it would be HTTP/servicename

The "HOST" SPN is a catch all for a variety of different types of services,
so you could use it here, but it is probably more appropriate to use the
specific version.

Your domain account can have multiple SPNs, and you can do both the HTTP and
HOST SPNs if you want to be redundant. It won't hurt. What does hurt is
having duplicate SPNs. That will tend to make both service accounts not
work. Always search the forest for the existence of an SPN before you set
one.

2.) Does the SPN Identity that the web services run under need delegation,
etc?

The only account that needs the rights to delegate is the service process
that is doing the delegation. The target of the delegation doesn't need
delegation rights, it just needs to be "authenticatable" via Kerberos (which
is why it needs an SPN). In your case, the only reason the web service
account would need rights to delegate is if it was going to delegate to
another backend resource like SQL server. However, it sounds like the web
app front end is actually delegating the user's identity to the web service,
so only the web app service process account needs rights for delegation.

3.) What special considerations are needed on the client (ASP.NET 2.0
web)?
ie Do they need to run under the SPN account? Do they have to have
delegation? In testing on my machine (Win XP), if the client was ASP.NET I
had to impersonate (either in web config or in code) in order to make the
call work correctly.

The "client" of the web service, in this case the web app, needs an SPN so
that it can participate in Kerberos authentication and needs the rights for
delegation. Which type (Kerberos only or "any protocol", which is the S4U
or "protocol transition" setting) depends on what type of auth you plan to
require from the web server itself. Protocol Transition is more flexible,
but requires 2003 web servers and a 2003 AD. It also requires configuring
constrained delegation. You should always use constrained delegation if you
can, but that too requires AD 2003, so it might not be an option.

If you want to delegate the authenticated user's security context, then you
need to impersonate, at least for the duration of the web service proxy call
and you need to set the Credentials property to the appropriate
DefaultCredentials value. You don't have to enable impersonation "globally"
in web.config if you don't want, but if you don't, you do have to
impersonate programmatically before you make your web service call.

Any help would be greatly appreciated

Thanks in advance,
Anthony Yott

.

---

• Prev by Date: Re: Need help getting the domain SID when given a DC=XXX,DC=YYY,CD=ZZZ
• Next by Date: Re: Need help getting the domain SID when given a DC=XXX,DC=YYY,CD
• Previous by thread: Re: Need help getting the domain SID when given a DC=XXX,DC=YYY,CD=ZZZ
• Next by thread: Re: Error setting DirecotrySearcher's new ExtendedDN
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: "Account is trusted for delegation" is not shown ... Where SPN is the servicename/computername (MESSENGER/SERVERNAME for ... This will add the delegation tab to the useraccount you specified. ... account with the Setspn utility in the support tools on your CD. ... It should be caused by raising functional level to windows 2003. ... (microsoft.public.windows.server.general) Re: delegating control over ou ... i didn't know which rights are responsible for ... locking an account was my mistake - of course it is ... not usefull to lock user account! ... >This is provided in the delegation wizard. ... (microsoft.public.windows.server.active_directory) Use of SPNs ... I create an SPN on the account to use for the Backup Exec service. ... The "Delegation" page now appears in ADUC when viewing the Properties ... (microsoft.public.windows.server.security) Re: Admin Roles ... rights to do certain tasks. ... One account is a plain-vanilla, Domain User account they normally logon with, email, etc. ... Delegation of administration, a key capability of Active Directory, provides a means to successfully manage an Active Directory environment. ... (microsoft.public.windows.server.active_directory) RE: More questions about WSE 3 (Kerb policy) in a Web Farm ... Web Service Security Guide, but in case not, have a look here: ... In terms of delegation your service account running the Web site, ... SPN magic! ... (microsoft.public.dotnet.framework.webservices.enhancements)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)