setspn and delegation

Hot Topic

Custom plug-in dll Problem in Win 2003 Standard edition
Deployment of .NET Framework 1.1 and Visual J# .NET 1.1 in same setup.
CAS some more. . . .
aspnet_wp.exe process is crashing after consuming 100% CPU
Help - WMI - softwares in windows register C#
The same table <choice> cannot be the child table in two nested relations
Opening mdb database at runtime
Native Images and Shared Memory
Problem Marshal'ing
is it possible to post files in an ip adress through windows application? how?

.NET Development

The type or namespace name 'SqlConnection' could not be found
Memory issue
Need desperate help with a simple compare
Calling the GC.Collect method
WebService inheritance+WSDL
Webservice: "The ASP.NET process identity does not have read permissions to the global assembly cache."
Setting "Text" variable in combo box
MBR objects Marshal/Disconnect issue
SmartCard Signatu PKCS1 padding
.Net data could be simpler than this!

setspn and delegation

I am having problems getting delegation up and running using a service account running IIS 6.0.

My test scenario calls from a XP client through to a webservice on server iis1, through to another web service on iis2, both web servers runing win2003 SP1. The Domain is at a functional level of win2003. Both web services have windows auth and impersonation set, ping methods to the individual webservices do work ok.

I have setup 2 service accounts spniis1 & spniis2. With both service accounts I have run aspnet_regiis -ga against them and also added them to the IIS_WPG & users groups. I have also enabled kerberos by using

cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"

In this scenario what SPNs should I set up I have attempted creating them for the website running the webservices as well as the servers without success, e.g.

setspn -A HTTP/TestWebSite:80 spniis1

setspn -A HTTP/TestWebSite.fqdn.com:80 spniis1

Should I be creating the SPNs against the service account user or the server

The delegation tab does display for the service accounts and I have attempted to trust it for delegation to any service. No users have the "Account is sensitive and cannot be delegated" set.

 Also the exception being thrown is "The request failed with HTTP status 401: Unauthorized.". Service accounts and server accounts in AD all have "Trust this computer for delegation to any service (Kerberos only)" set.

Any help greatly appreciated!!

Answer this question

setspn and delegation

  • jumpjack

    Sorry, yes when calling the first web service I recieve the following exception when the first web service attempts to call the second:

    "The request failed with HTTP status 401: Unauthorized."

    Is it possible underlying AD privileges could be restricting the process

    thanks

    Alan

  • max12345

    I managed to get it working !!!

    Basically I had set up the web services within a non-default website on the servers. Even though the application pools were running under the network service user it was only when I ran the web services from the default web site and the default application pool did delegation run correctly.

    Spns I set up were:

    HOST/<machine name>

    HOST/<machine name>.<fqdn>.com e.g HOST/iis1.mycompanyname.com

    HTTP/<machine name>

    HTTP/<machine name>.<fqdn>.com

    I will try reverting to the non-default setup again and try the network sniff to have a look at the kerberos traffic.

    Thanks for all the help.

  • Madhu Ponduru -MSFT

    A couple of suggestions:

    • SetSPN Usage
      • "Setspn.exe -A SpnToBeAdded ComputerName"
      • Looks to me like you are using: "setspn.exe -A SpnToBeAdded username"
    • Don't append the :80 on the SPN you are registering because it is the default port. Most client implementations don't send the port (especially when using the default port).
    • What User account is the WebService running under If the WebService is running under the standard Network service user, then you should be able to just use "HTTP/ComputerName" (replacing ComputerName appropriately).

    Try this and let me know the results.



  • HobbyCoder

    Found a useful document that might help others determine the SPNs they require for delegation

    http://support.microsoft.com/default.aspx scid=kb;en-us;887993

    Still does not help me!! But I can now see that on the second hop of the web service chain the event viewer logs the secuirty entries of the attempts of the Network Service, IUSR_XXX and then the ANONYMOUS LOGON which of course if delegation was working it should be the original callers user details instead. So this points to the fact that the credentials are not being delegated on from the first web service call to the next

    This is the code the first web service is using to call the second (the second WS does have win authen & impersonation set):

    Test2.Service test2Srv = new Test2.Service();
    test2Srv.PreAuthenticate = true;
    test2Srv.Credentials = System.Net.CredentialCache.DefaultCredentials;
    test2Srv.ConnectionGroupName = this.User.Identity.Name;
    test2Srv.Timeout = -1;
    test2Srv.MethodCall();

  • medic_8

    Most of the time you shouldn't have to do anything special with the SPN for traffic to an HTTP server because it usually falls under the standard format "HTTP/<computerName>".

    If you are running under Network Service account, then the SPN should be of the following format (you may have to try several). Replace entries in angle brackets with appropriate values (don't include the brackets).

    HOST/<machinename>
    <machinename>@<domain name>
    <domain name>\<machine name>
    <machine name>$@<domain name>
    <domain name>\<machine name>$

    If none of these work, please post (or e-mail me) the output from "setspn.exe -l <computername>" and a list of all the SPNs you have tried so far.

    The next think I would do is get a network sniff (using netmon or ethereal) of the unauthorized request (including traffic to the KDC/domain controller) so that I can see what kerberos traffic is being sent over the wire. I want to make sure that the problem is the SPN and not something else. If you need information on how to use netmon, see http://blogs.msdn.com/dgorti/archive/2005/10/29/486887.aspx



  • El gabacho

    Are you saying that the current arrangemeng is not working



  • Rick Frankel

    Hi Jon

    The application pool running the web service is executing under the Network Service user on both servers, setspn -l lists the 2 HTTP and 2 HOST SPNs.

    I originally attempted to configure a service account to run the application pool hence the "setspn -A spn username". In AD both servers have "Trust this computer for delegation to any service (Kerberos only)".

    I still get the same exception "The request failed with HTTP status 401: Unauthorized.", naturally I can directly call the second web service in the chain and it works ok so therefore something is failing in the delegation process.

    Any other thoughs

    thanks for the efforts

    Alan

  • GrayMatter Software

    By the way, I found a great white paper that describes how to troubleshoot kerberos delegation issues. It is worth reading...

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx



  • setspn and delegation
Answer this question