| Author | Messages | |
JackP
Posts:40
 | | 12/17/2007 2:16 AM |
| Hello,
Hope this isn't too off topic. I
am writing vb.net web service to do some AD tasks. I am having a
terrible time getting the impersonation to work.
I am using a DirectorySearcher in the
code. I get the error "An operations error has occurred."
The web service works when not doing
impersonation and it also works with Basic authentication.
Steps I've followed:
Setup webserver computer account for
delegation and rebooted the server.
These are in my web.config
Unchecked anon access in IIS
Checked off Integrated Security (everything
else not checked)
Added this to my code before calling
something from the web service
ws.Credentials = Net.CredentialCache.DefaultCredentials
Any help would be greatly appreciated.
Thanks!
-Jack | | | |
| joe
Posts:112
| | 12/17/2007 2:51 AM |
| That scenario typically requires you to implement Kerberos delegation in
order for it to work. The identity running the IIS app pool needs rights to
delegate. It is generally better if you do this by configuring constrained
delegation (which also gives you the option of using protocol transition
login which then means that you don't need successful Kerberos auth from the
browser to the web server), but constrained delegation isn't actually
required.
There are tons posts and articles covering this type of thing. We also
cover it in some detail in ch 8 of our book.
Joe K.
----- Original Message -----
From: "Jack Parkin"
To:
Sent: Monday, December 17, 2007 1:16 PM
Subject: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
> Hello,
>
> Hope this isn't too off topic. I am writing vb.net web service to do some
> AD tasks. I am having a terrible time getting the impersonation to work.
>
> I am using a DirectorySearcher in the code. I get the error "An
> operations error has occurred."
>
> The web service works when not doing impersonation and it also works with
> Basic authentication.
>
> Steps I've followed:
> Setup webserver computer account for delegation and rebooted the server.
> These are in my web.config
>
>
> Unchecked anon access in IIS
> Checked off Integrated Security (everything else not checked)
> Added this to my code before calling something from the web service
>
> ws.Credentials = Net.CredentialCache.DefaultCredentials
>
> Any help would be greatly appreciated.
>
> Thanks!
>
> -Jack
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| robertsingers
Posts:579
| | 12/17/2007 4:28 AM |
| According to our chief coding monkey this is the article to
read :-)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jack
ParkinSent: Tuesday, 18 December 2007 8:16 a.m.To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] .NET Web Service -
Impersonation w/Integrated Security
Hello, Hope this isn't too off topic. I am writing vb.net
web service to do some AD tasks. I am having a terrible time getting the
impersonation to work. I am using a
DirectorySearcher in the code. I get the error "An operations error has
occurred." The web service works
when not doing impersonation and it also works with Basic authentication.
Steps I've followed:
Setup webserver computer account for delegation
and rebooted the server. These are in my
web.config
Unchecked anon access in IIS Checked off Integrated Security (everything else not
checked) Added this to my code before
calling something from the web service ws.Credentials = Net.CredentialCache.DefaultCredentials
Any help would be greatly
appreciated. Thanks!
-Jack
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
Please Note:
The information contained in this email message and any attached files may be
confidential and subject to privilege. Any opinions expressed in this message
are not necessarily those of the Department of Building and Housing. All
technical opinions are offered on a ?no-liability? basis. This message and any
files transmitted with it areconfidential and solely for the use of the
intended recipient. If you are not the intended recipient, you are notified that
any use, disclosure or copying of this email is unauthorised. If you have
received this email in error, please notify us immediately by reply email and
delete the original and any attachment(s). Thank you. | | | |
| joe
Posts:112
| | 12/17/2007 4:58 AM |
| You only need to implement the advice from that article if you want to
programmatically impersonate a different identity. I think he wanted the
code to run under the security context of the authenticated user, so in that
case you need delegation.
The code shown in the article requires plaintext credentials, so if he was
going to try to make that work in his scenario, he'd need to prompt the user
for their password (which defeats the purpose of using integrated auth).
Joe K.
----- Original Message -----
From: "Robert Singers"
To:
Sent: Monday, December 17, 2007 3:28 PM
Subject: RE: [ActiveDir] .NET Web Service - Impersonation w/Integrated
Security
According to our chief coding monkey this is the article to read :-)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306158
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jack Parkin
Sent: Tuesday, 18 December 2007 8:16 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] .NET Web Service - Impersonation w/Integrated
Security
Hello,
Hope this isn't too off topic. I am writing vb.net web service to do
some AD tasks. I am having a terrible time getting the impersonation to
work.
I am using a DirectorySearcher in the code. I get the error "An
operations error has occurred."
The web service works when not doing impersonation and it also works
with Basic authentication.
Steps I've followed:
Setup webserver computer account for delegation and rebooted the server.
These are in my web.config
Unchecked anon access in IIS
Checked off Integrated Security (everything else not checked)
Added this to my code before calling something from the web service
ws.Credentials = Net.CredentialCache.DefaultCredentials
Any help would be greatly appreciated.
Thanks!
-Jack
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a 'no-liability' basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| JackP
Posts:40
| | 01/04/2008 10:58 AM |
| I hate to admit defeat, but I am out of ideas. I really need some help on
this.
I've read every piece of info on the web and in your book, yet I still
can't this to work.
I was using the default app pool which was running as network service.
While doing that I could connect to the web service but delegation
definitely wasn't working.
So I created a new app pool, used a domain account for the identity, added
2 SPNs to the user account and then turned on delegation to the account
(no constraints for now).
So I have these SPNs
HTTP/nptest
HTTP/nptest.domain.com
Now when I try to connect to the web service I get Service Unavailable.
Thank you for your help.
-Jack
"Joe Kaplan" <joe@joekaplan.net>
Sent by: ActiveDir-owner@mail.activedir.org
12/17/2007 02:52 PM
Please respond to
ActiveDir@mail.activedir.org
To
<ActiveDir@mail.activedir.org>
cc
Subject
Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
That scenario typically requires you to implement Kerberos delegation in
order for it to work. The identity running the IIS app pool needs rights
to
delegate. It is generally better if you do this by configuring
constrained
delegation (which also gives you the option of using protocol transition
login which then means that you don't need successful Kerberos auth from
the
browser to the web server), but constrained delegation isn't actually
required.
There are tons posts and articles covering this type of thing. We also
cover it in some detail in ch 8 of our book.
Joe K.
----- Original Message -----
From: "Jack Parkin" <JParkin@uss.com>
To: <ActiveDir@mail.activedir.org>
Sent: Monday, December 17, 2007 1:16 PM
Subject: [ActiveDir] .NET Web Service - Impersonation w/Integrated
Security
> Hello,
>
> Hope this isn't too off topic. I am writing vb.net web service to do
some
> AD tasks. I am having a terrible time getting the impersonation to
work.
>
> I am using a DirectorySearcher in the code. I get the error "An
> operations error has occurred."
>
> The web service works when not doing impersonation and it also works
with
> Basic authentication.
>
> Steps I've followed:
> Setup webserver computer account for delegation and rebooted the server.
> These are in my web.config
> <authentication mode="Windows"/>
> <identity impersonate="true"/>
> Unchecked anon access in IIS
> Checked off Integrated Security (everything else not checked)
> Added this to my code before calling something from the web service
>
> ws.Credentials = Net.CredentialCache.DefaultCredentials
>
> Any help would be greatly appreciated.
>
> Thanks!
>
> -Jack
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| JackP
Posts:40
| | 01/04/2008 11:18 AM |
| Ok, I figured out the service unavailable issue, needed to add the user to
IIS_WG group (sorry for the noise, I don't know much about IIS).
Regretfully though, this has not fixed my impersonation issue. Whenever I
try to search against AD I get "An operations error has occurred." With
Basic authentication though the code works.
Anyone have any words of wisdom for a weary soul?
Thanks.
-Jack
Jack Parkin <JParkin@uss.com>
Sent by: ActiveDir-owner@mail.activedir.org
01/03/2008 03:13 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
I hate to admit defeat, but I am out of ideas. I really need some help on
this.
I've read every piece of info on the web and in your book, yet I still
can't this to work.
I was using the default app pool which was running as network service.
While doing that I could connect to the web service but delegation
definitely wasn't working.
So I created a new app pool, used a domain account for the identity, added
2 SPNs to the user account and then turned on delegation to the account
(no constraints for now).
So I have these SPNs
HTTP/nptest
HTTP/nptest.domain.com
Now when I try to connect to the web service I get Service Unavailable.
Thank you for your help.
-Jack
"Joe Kaplan" <joe@joekaplan.net>
Sent by: ActiveDir-owner@mail.activedir.org
12/17/2007 02:52 PM
Please respond to
ActiveDir@mail.activedir.org
To
<ActiveDir@mail.activedir.org>
cc
Subject
Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
That scenario typically requires you to implement Kerberos delegation in
order for it to work. The identity running the IIS app pool needs rights
to
delegate. It is generally better if you do this by configuring
constrained
delegation (which also gives you the option of using protocol transition
login which then means that you don't need successful Kerberos auth from
the
browser to the web server), but constrained delegation isn't actually
required.
There are tons posts and articles covering this type of thing. We also
cover it in some detail in ch 8 of our book.
Joe K.
----- Original Message -----
From: "Jack Parkin" <JParkin@uss.com>
To: <ActiveDir@mail.activedir.org>
Sent: Monday, December 17, 2007 1:16 PM
Subject: [ActiveDir] .NET Web Service - Impersonation w/Integrated
Security
> Hello,
>
> Hope this isn't too off topic. I am writing vb.net web service to do
some
> AD tasks. I am having a terrible time getting the impersonation to
work.
>
> I am using a DirectorySearcher in the code. I get the error "An
> operations error has occurred."
>
> The web service works when not doing impersonation and it also works
with
> Basic authentication.
>
> Steps I've followed:
> Setup webserver computer account for delegation and rebooted the server.
> These are in my web.config
> <authentication mode="Windows"/>
> <identity impersonate="true"/>
> Unchecked anon access in IIS
> Checked off Integrated Security (everything else not checked)
> Added this to my code before calling something from the web service
>
> ws.Credentials = Net.CredentialCache.DefaultCredentials
>
> Any help would be greatly appreciated.
>
> Thanks!
>
> -Jack
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| michael1
Posts:438
| | 01/04/2008 11:18 AM |
| To get my PowerShell webhost to run on IIS I had to do the below (granted,
I'm running against Windows Server 2008, but I don't think this is a
change).
And I'm not an IIS whiz. These may be completely disconnected issues. But
they seem similar.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<configuration>
<system.web>
<customErrors mode="Off" />
<identity impersonate="false" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
<runtime>
<legacyImpersonationPolicy enabled="false"/>
<alwaysFlowImpersonationPolicy
enabled="true"/>
</runtime>
</configuration>
Regards,
Michael B. Smith
MCSE/Exchange MVP
http://TheEssentialExchange.com
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jack Parkin
Sent: Thursday, January 03, 2008 3:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated
Security
Ok, I figured out the service unavailable issue, needed to add the user to
IIS_WG group (sorry for the noise, I don't know much about IIS).
Regretfully though, this has not fixed my impersonation issue. Whenever I
try to search against AD I get "An operations error has occurred." With
Basic authentication though the code works.
Anyone have any words of wisdom for a weary soul?
Thanks.
-Jack
Jack Parkin <JParkin@uss.com>
Sent by: ActiveDir-owner@mail.activedir.org
01/03/2008 03:13 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
I hate to admit defeat, but I am out of ideas. I really need some help on
this.
I've read every piece of info on the web and in your book, yet I still can't
this to work.
I was using the default app pool which was running as network service.
While doing that I could connect to the web service but delegation
definitely wasn't working.
So I created a new app pool, used a domain account for the identity, added 2
SPNs to the user account and then turned on delegation to the account (no
constraints for now).
So I have these SPNs
HTTP/nptest
HTTP/nptest.domain.com
Now when I try to connect to the web service I get Service Unavailable.
Thank you for your help.
-Jack
"Joe Kaplan" <joe@joekaplan.net>
Sent by: ActiveDir-owner@mail.activedir.org
12/17/2007 02:52 PM
Please respond to
ActiveDir@mail.activedir.org
To
<ActiveDir@mail.activedir.org>
cc
Subject
Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
That scenario typically requires you to implement Kerberos delegation in
order for it to work. The identity running the IIS app pool needs rights to
delegate. It is generally better if you do this by configuring constrained
delegation (which also gives you the option of using protocol transition
login which then means that you don't need successful Kerberos auth from the
browser to the web server), but constrained delegation isn't actually
required.
There are tons posts and articles covering this type of thing. We also
cover it in some detail in ch 8 of our book.
Joe K.
----- Original Message -----
From: "Jack Parkin" <JParkin@uss.com>
To: <ActiveDir@mail.activedir.org>
Sent: Monday, December 17, 2007 1:16 PM
Subject: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
> Hello,
>
> Hope this isn't too off topic. I am writing vb.net web service to do some
> AD tasks. I am having a terrible time getting the impersonation to work.
>
> I am using a DirectorySearcher in the code. I get the error "An
> operations error has occurred."
>
> The web service works when not doing impersonation and it also works with
> Basic authentication.
>
> Steps I've followed:
> Setup webserver computer account for delegation and rebooted the server.
> These are in my web.config
> <authentication mode="Windows"/>
> <identity impersonate="true"/>
> Unchecked anon access in IIS
> Checked off Integrated Security (everything else not checked)
> Added this to my code before calling something from the web service
>
> ws.Credentials = Net.CredentialCache.DefaultCredentials
>
> Any help would be greatly appreciated.
>
> Thanks!
>
> -Jack
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| joe
Posts:112
| | 01/04/2008 11:39 AM |
| I'm glad you got it working while I was away from my email today and missed
the evolution of this thread. 
My guess on the file server access is that you don't have Kerberos auth
working to it. You need to have Kerberos auth working to each of your
remote services in order to be able to delegate to them.
Make sure the host name you are using for the file server matches an SPN
associated with the machine account for the file server. It should either
be HOST/xxxx or cifs/xxxx, where xxxx is the host name you are using.
Joe
----- Original Message -----
From: "Jack Parkin" <JParkin@uss.com>
To: <ActiveDir@mail.activedir.org>
Sent: Thursday, January 03, 2008 3:31 PM
Subject: Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated
Security
> My code seems to be mysteriously working for AD now...when I look at the
> audit logs for the user creation I am doing, it shows my account has
> having made the change, so impersonation definitely seems to be working.
>
> However, the code also does some security changes on a file server. I am
> getting access denied on that piece.
>
> Any thoughts?
>
> Thanks!
>
> -Jack
>
>
>
>
> Jack Parkin <JParkin@uss.com>
> Sent by: ActiveDir-owner@mail.activedir.org
> 01/03/2008 03:28 PM
> Please respond to
> ActiveDir@mail.activedir.org
>
>
> To
> ActiveDir@mail.activedir.org
> cc
>
> Subject
> Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
>
>
>
>
>
>
>
> Ok, I figured out the service unavailable issue, needed to add the user to
> IIS_WG group (sorry for the noise, I don't know much about IIS).
>
> Regretfully though, this has not fixed my impersonation issue. Whenever I
> try to search against AD I get "An operations error has occurred." With
> Basic authentication though the code works.
>
> Anyone have any words of wisdom for a weary soul?
>
> Thanks.
>
> -Jack
>
>
>
> Jack Parkin <JParkin@uss.com>
> Sent by: ActiveDir-owner@mail.activedir.org
> 01/03/2008 03:13 PM
>
> Please respond to
> ActiveDir@mail.activedir.org
>
>
> To
> ActiveDir@mail.activedir.org
> cc
>
> Subject
> Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
>
>
>
>
>
>
>
>
>
> I hate to admit defeat, but I am out of ideas. I really need some help on
> this.
>
> I've read every piece of info on the web and in your book, yet I still
> can't this to work.
>
> I was using the default app pool which was running as network service.
> While doing that I could connect to the web service but delegation
> definitely wasn't working.
>
> So I created a new app pool, used a domain account for the identity, added
> 2 SPNs to the user account and then turned on delegation to the account
> (no constraints for now).
>
> So I have these SPNs
> HTTP/nptest
> HTTP/nptest.domain.com
>
> Now when I try to connect to the web service I get Service Unavailable.
>
> Thank you for your help.
>
> -Jack
>
>
>
> "Joe Kaplan" <joe@joekaplan.net>
> Sent by: ActiveDir-owner@mail.activedir.org
> 12/17/2007 02:52 PM
>
> Please respond to
> ActiveDir@mail.activedir.org
>
>
>
> To
> <ActiveDir@mail.activedir.org>
> cc
>
> Subject
> Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
>
>
>
>
>
>
>
>
>
>
> That scenario typically requires you to implement Kerberos delegation in
> order for it to work. The identity running the IIS app pool needs rights
> to
> delegate. It is generally better if you do this by configuring
> constrained
> delegation (which also gives you the option of using protocol transition
> login which then means that you don't need successful Kerberos auth from
> the
> browser to the web server), but constrained delegation isn't actually
> required.
>
> There are tons posts and articles covering this type of thing. We also
> cover it in some detail in ch 8 of our book.
>
> Joe K.
>
> ----- Original Message -----
> From: "Jack Parkin" <JParkin@uss.com>
> To: <ActiveDir@mail.activedir.org>
> Sent: Monday, December 17, 2007 1:16 PM
> Subject: [ActiveDir] .NET Web Service - Impersonation w/Integrated
> Security
>
>
>> Hello,
>>
>> Hope this isn't too off topic. I am writing vb.net web service to do
> some
>> AD tasks. I am having a terrible time getting the impersonation to
> work.
>>
>> I am using a DirectorySearcher in the code. I get the error "An
>> operations error has occurred."
>>
>> The web service works when not doing impersonation and it also works
> with
>> Basic authentication.
>>
>> Steps I've followed:
>> Setup webserver computer account for delegation and rebooted the server.
>> These are in my web.config
>> <authentication mode="Windows"/>
>> <identity impersonate="true"/>
>> Unchecked anon access in IIS
>> Checked off Integrated Security (everything else not checked)
>> Added this to my code before calling something from the web service
>>
>> ws.Credentials = Net.CredentialCache.DefaultCredentials
>>
>> Any help would be greatly appreciated.
>>
>> Thanks!
>>
>> -Jack
>>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| JackP
Posts:40
| | 01/04/2008 12:24 PM |
| That makes perfect sense, especially once I looked at the cluster and saw
that they don't have Kerberos enabled on the network name. Lucky for me
that means I have to take the entire resource offline.
I was going to test this on another server, but now I am getting the
operations error again. I tried it first thing this morning and it
worked. I tried it 10 minutes later (didn't make any changes) and now I
get the error again.
Any thoughts on how I can see what is breaking down?
Thanks!
-Jack
"Joe Kaplan" <joe@joekaplan.net>
Sent by: ActiveDir-owner@mail.activedir.org
01/03/2008 10:13 PM
Please respond to
ActiveDir@mail.activedir.org
To
<ActiveDir@mail.activedir.org>
cc
Subject
Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
I'm glad you got it working while I was away from my email today and
missed
the evolution of this thread.
My guess on the file server access is that you don't have Kerberos auth
working to it. You need to have Kerberos auth working to each of your
remote services in order to be able to delegate to them.
Make sure the host name you are using for the file server matches an SPN
associated with the machine account for the file server. It should either
be HOST/xxxx or cifs/xxxx, where xxxx is the host name you are using.
Joe
----- Original Message -----
From: "Jack Parkin" <JParkin@uss.com>
To: <ActiveDir@mail.activedir.org>
Sent: Thursday, January 03, 2008 3:31 PM
Subject: Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated
Security
> My code seems to be mysteriously working for AD now...when I look at the
> audit logs for the user creation I am doing, it shows my account has
> having made the change, so impersonation definitely seems to be working.
>
> However, the code also does some security changes on a file server. I
am
> getting access denied on that piece.
>
> Any thoughts?
>
> Thanks!
>
> -Jack
>
>
>
>
> Jack Parkin <JParkin@uss.com>
> Sent by: ActiveDir-owner@mail.activedir.org
> 01/03/2008 03:28 PM
> Please respond to
> ActiveDir@mail.activedir.org
>
>
> To
> ActiveDir@mail.activedir.org
> cc
>
> Subject
> Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
>
>
>
>
>
>
>
> Ok, I figured out the service unavailable issue, needed to add the user
to
> IIS_WG group (sorry for the noise, I don't know much about IIS).
>
> Regretfully though, this has not fixed my impersonation issue. Whenever
I
> try to search against AD I get "An operations error has occurred." With
> Basic authentication though the code works.
>
> Anyone have any words of wisdom for a weary soul?
>
> Thanks.
>
> -Jack
>
>
>
> Jack Parkin <JParkin@uss.com>
> Sent by: ActiveDir-owner@mail.activedir.org
> 01/03/2008 03:13 PM
>
> Please respond to
> ActiveDir@mail.activedir.org
>
>
> To
> ActiveDir@mail.activedir.org
> cc
>
> Subject
> Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
>
>
>
>
>
>
>
>
>
> I hate to admit defeat, but I am out of ideas. I really need some help
on
> this.
>
> I've read every piece of info on the web and in your book, yet I still
> can't this to work.
>
> I was using the default app pool which was running as network service.
> While doing that I could connect to the web service but delegation
> definitely wasn't working.
>
> So I created a new app pool, used a domain account for the identity,
added
> 2 SPNs to the user account and then turned on delegation to the account
> (no constraints for now).
>
> So I have these SPNs
> HTTP/nptest
> HTTP/nptest.domain.com
>
> Now when I try to connect to the web service I get Service Unavailable.
>
> Thank you for your help.
>
> -Jack
>
>
>
> "Joe Kaplan" <joe@joekaplan.net>
> Sent by: ActiveDir-owner@mail.activedir.org
> 12/17/2007 02:52 PM
>
> Please respond to
> ActiveDir@mail.activedir.org
>
>
>
> To
> <ActiveDir@mail.activedir.org>
> cc
>
> Subject
> Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
>
>
>
>
>
>
>
>
>
>
> That scenario typically requires you to implement Kerberos delegation in
> order for it to work. The identity running the IIS app pool needs
rights
> to
> delegate. It is generally better if you do this by configuring
> constrained
> delegation (which also gives you the option of using protocol transition
> login which then means that you don't need successful Kerberos auth from
> the
> browser to the web server), but constrained delegation isn't actually
> required.
>
> There are tons posts and articles covering this type of thing. We also
> cover it in some detail in ch 8 of our book.
>
> Joe K.
>
> ----- Original Message -----
> From: "Jack Parkin" <JParkin@uss.com>
> To: <ActiveDir@mail.activedir.org>
> Sent: Monday, December 17, 2007 1:16 PM
> Subject: [ActiveDir] .NET Web Service - Impersonation w/Integrated
> Security
>
>
>> Hello,
>>
>> Hope this isn't too off topic. I am writing vb.net web service to do
> some
>> AD tasks. I am having a terrible time getting the impersonation to
> work.
>>
>> I am using a DirectorySearcher in the code. I get the error "An
>> operations error has occurred."
>>
>> The web service works when not doing impersonation and it also works
> with
>> Basic authentication.
>>
>> Steps I've followed:
>> Setup webserver computer account for delegation and rebooted the
server.
>> These are in my web.config
>> <authentication mode="Windows"/>
>> <identity impersonate="true"/>
>> Unchecked anon access in IIS
>> Checked off Integrated Security (everything else not checked)
>> Added this to my code before calling something from the web service
>>
>> ws.Credentials = Net.CredentialCache.DefaultCredentials
>>
>> Any help would be greatly appreciated.
>>
>> Thanks!
>>
>> -Jack
>>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| joe
Posts:112
| | 01/04/2008 12:24 PM |
| Pure unconstrained Kerberos delegation relies on the original authentication
from the client to the first server being Kerberos as well as the
authentication to each backend resource being Kerberos as well. However,
since Windows uses Negotiate authentication and Negotiate can switch over to
NTLM if Kerberos is unavailable for some reason, the whole thing can break.
What I think may be happening is that you have some sort of intermittency
with successful Kerberos auth between the browser and the web server. If
the browser drops back to NTLM for some reason, the whole thing breaks.
You can find out if this is the case by enabling auditing of logon events on
the web server and checking to see what type of auth was performed when the
client accessed the web server. It will say either NTLMSSP or Kerberos.
Fixing this may be harder, as you would need to figure out why the behavior
is intermittent. Network sniffs of the traffic are usually instructive as
to what is happening, although they take a while to learn how to interpret
if you aren't used to looking at them.
Another possible approach is to switch to constrained delegation and enable
protocol transition logon on the web server service account. This will
allow the web server to authenticate with "any protocol", including NTLM,
but transition to Kerberos auth automatically when needed (such as for a
delegation scenario). I use this feature a lot.
It is a good idea to switch to constrained delegation anyway because it is
much more secure. It is also a very good idea to set your sensitive
accounts like DA's to "sensitive and cannot be delegated" to prevent them
from being abused by web servers that have been given these extra powers.
Joe
----- Original Message -----
From: "Jack Parkin" <JParkin@uss.com>
To: <ActiveDir@mail.activedir.org>
Sent: Friday, January 04, 2008 7:11 AM
Subject: Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated
Security
> That makes perfect sense, especially once I looked at the cluster and saw
> that they don't have Kerberos enabled on the network name. Lucky for me
> that means I have to take the entire resource offline.
>
> I was going to test this on another server, but now I am getting the
> operations error again. I tried it first thing this morning and it
> worked. I tried it 10 minutes later (didn't make any changes) and now I
> get the error again.
>
> Any thoughts on how I can see what is breaking down?
>
> Thanks!
>
> -Jack
>
>
>
>
> "Joe Kaplan" <joe@joekaplan.net>
> Sent by: ActiveDir-owner@mail.activedir.org
> 01/03/2008 10:13 PM
> Please respond to
> ActiveDir@mail.activedir.org
>
>
> To
> <ActiveDir@mail.activedir.org>
> cc
>
> Subject
> Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
>
>
>
>
>
>
> I'm glad you got it working while I was away from my email today and
> missed
> the evolution of this thread.
>
> My guess on the file server access is that you don't have Kerberos auth
> working to it. You need to have Kerberos auth working to each of your
> remote services in order to be able to delegate to them.
>
> Make sure the host name you are using for the file server matches an SPN
> associated with the machine account for the file server. It should either
>
> be HOST/xxxx or cifs/xxxx, where xxxx is the host name you are using.
>
> Joe
>
> ----- Original Message -----
> From: "Jack Parkin" <JParkin@uss.com>
> To: <ActiveDir@mail.activedir.org>
> Sent: Thursday, January 03, 2008 3:31 PM
> Subject: Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated
> Security
>
>
>> My code seems to be mysteriously working for AD now...when I look at the
>> audit logs for the user creation I am doing, it shows my account has
>> having made the change, so impersonation definitely seems to be working.
>>
>> However, the code also does some security changes on a file server. I
> am
>> getting access denied on that piece.
>>
>> Any thoughts?
>>
>> Thanks!
>>
>> -Jack
>>
>>
>>
>>
>> Jack Parkin <JParkin@uss.com>
>> Sent by: ActiveDir-owner@mail.activedir.org
>> 01/03/2008 03:28 PM
>> Please respond to
>> ActiveDir@mail.activedir.org
>>
>>
>> To
>> ActiveDir@mail.activedir.org
>> cc
>>
>> Subject
>> Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
>>
>>
>>
>>
>>
>>
>>
>> Ok, I figured out the service unavailable issue, needed to add the user
> to
>> IIS_WG group (sorry for the noise, I don't know much about IIS).
>>
>> Regretfully though, this has not fixed my impersonation issue. Whenever
> I
>> try to search against AD I get "An operations error has occurred." With
>> Basic authentication though the code works.
>>
>> Anyone have any words of wisdom for a weary soul?
>>
>> Thanks.
>>
>> -Jack
>>
>>
>>
>> Jack Parkin <JParkin@uss.com>
>> Sent by: ActiveDir-owner@mail.activedir.org
>> 01/03/2008 03:13 PM
>>
>> Please respond to
>> ActiveDir@mail.activedir.org
>>
>>
>> To
>> ActiveDir@mail.activedir.org
>> cc
>>
>> Subject
>> Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> I hate to admit defeat, but I am out of ideas. I really need some help
> on
>> this.
>>
>> I've read every piece of info on the web and in your book, yet I still
>> can't this to work.
>>
>> I was using the default app pool which was running as network service.
>> While doing that I could connect to the web service but delegation
>> definitely wasn't working.
>>
>> So I created a new app pool, used a domain account for the identity,
> added
>> 2 SPNs to the user account and then turned on delegation to the account
>> (no constraints for now).
>>
>> So I have these SPNs
>> HTTP/nptest
>> HTTP/nptest.domain.com
>>
>> Now when I try to connect to the web service I get Service Unavailable.
>>
>> Thank you for your help.
>>
>> -Jack
>>
>>
>>
>> "Joe Kaplan" <joe@joekaplan.net>
>> Sent by: ActiveDir-owner@mail.activedir.org
>> 12/17/2007 02:52 PM
>>
>> Please respond to
>> ActiveDir@mail.activedir.org
>>
>>
>>
>> To
>> <ActiveDir@mail.activedir.org>
>> cc
>>
>> Subject
>> Re: [ActiveDir] .NET Web Service - Impersonation w/Integrated Security
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> That scenario typically requires you to implement Kerberos delegation in
>> order for it to work. The identity running the IIS app pool needs
> rights
>> to
>> delegate. It is generally better if you do this by configuring
>> constrained
>> delegation (which also gives you the option of using protocol transition
>> login which then means that you don't need successful Kerberos auth from
>> the
>> browser to the web server), but constrained delegation isn't actually
>> required.
>>
>> There are tons posts and articles covering this type of thing. We also
>> cover it in some detail in ch 8 of our book.
>>
>> Joe K.
>>
>> ----- Original Message -----
>> From: "Jack Parkin" <JParkin@uss.com>
>> To: <ActiveDir@mail.activedir.org>
>> Sent: Monday, December 17, 2007 1:16 PM
>> Subject: [ActiveDir] .NET Web Service - Impersonation w/Integrated
>> Security
>>
>>
>>> Hello,
>>>
>>> Hope this isn't too off topic. I am writing vb.net web service to do
>> some
>>> AD tasks. I am having a terrible time getting the impersonation to
>> work.
>>>
>>> I am using a DirectorySearcher in the code. I get the error "An
>>> operations error has occurred."
>>>
>>> The web service works when not doing impersonation and it also works
>> with
>>> Basic authentication.
>>>
>>> Steps I've followed:
>>> Setup webserver computer account for delegation and rebooted the
> server.
>>> These are in my web.config
>>> <authentication mode="Windows"/>
>>> <identity impersonate="true"/>
>>> Unchecked anon access in IIS
>>> Checked off Integrated Security (everything else not checked)
>>> Added this to my code before calling something from the web service
>>>
>>> ws.Credentials = Net.CredentialCache.DefaultCredentials
>>>
>>> Any help would be greatly appreciated.
>>>
>>> Thanks!
>>>
>>> -Jack
>>>
>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
>>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|