Hi, if he is accessing a LOCAL resource - this is NOT delegation...
very early in the morning - knowing for sure :)) cheers, dominick ----------------------------- Dominick Baier, DevelopMentor http://www.leastprivilege.com -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Ernst Kuschke Sent: Mittwoch, 1. März 2006 01:18 To: [email protected] Subject: Re: [ADVANCED-DOTNET] ASP.NET Delegation Very late at night off the top of my head: - Your ASP.NET app needs to be running with impersonation = true - Your servers should be enlisted for Kerberos delegation (specifically the one running your ASP.NET app) - Setup IIS to allow Impersonation, with no Anonymous access -Ernst On 3/1/06, Dominick Baier <[EMAIL PROTECTED]> wrote: > > Hi, > > to which URL is your web proxy set? > > > > cheers, > dominick > > ----------------------------- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > -----Original Message----- > From: Discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Don Stanley > Sent: Mittwoch, 1. März 2006 00:12 > To: [email protected] > Subject: Re: [ADVANCED-DOTNET] ASP.NET Delegation > > One other thing - > > Does it matter that the server is being referenced by an "external" > DNS name? I've set up the ASP.NET app to use the address > http://crm.company.com, which just redirects to an internal IP address. > The server is actually a member of the domain company.local (this was > done to make the transition from internal to external easier). > > Does that make any difference? > > Don > > -----Original Message----- > From: Discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Dominick > Baier > Sent: Tuesday, February 28, 2006 12:59 PM > To: [email protected] > Subject: Re: [ADVANCED-DOTNET] ASP.NET Delegation > > Hi, > > first of all you should be sure which identity is used to call the web > service - > > output a WindowsIdentity.GetCurrent().Name before setting the > credentials > - > is this account authorized for the web service? > > If the web service is on the same machine you are not delegating - > anyhow > - > this is the best place for Kerberos delegation troubleshooting: > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technol > og > ies/ > security/tkerbdel.mspx > > > > > cheers, > dominick > > ----------------------------- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > -----Original Message----- > From: Discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Don Stanley > Sent: Dienstag, 28. Februar 2006 19:20 > To: [email protected] > Subject: [ADVANCED-DOTNET] ASP.NET Delegation > > I am having trouble passing credentials from an ASP.NET application to > a web service call on the same machine. The web service is for > Microsoft CRM 3.0, and the code to access it is as follows: > > Web Project name: CRMUtilities > Web Reference: CRM > > // Standard CRM Service Setup > CRM.CrmService service = new CRM.CrmService(); // This should pull the > Windows credentials from the ASP.NET app service.Credentials = > System.Net.CredentialCache.DefaultCredentials; > > // set up columns (ID in particular) > ... > > try > { > newLead = (CRM.lead)service.Retrieve( > CRM.EntityName.lead.ToString(), > new Guid(_ObjectID),columns); > } > catch(SoapException soapException) > { > throw new Exception(soapException.Detail.InnerXml); > } > catch(Exception exception) > { > throw exception; > } > > > This works fine from my development workstation, but when I deploy to > the server, I get a 401:Unauthorized WebException. I am certain the > exception comes on the service.Retrieve call because if I comment out > the "throw exception" line in the second catch block it continues on > (meaning the service.Retrieve line is throwing the exception). The > problem seems to be that the credentials are not being passed to the > web service call, because in the IIS log the username is blank for the > web service calls, but is present for the ASP.NET app calls. > > One other thing to note: crm.company.com is a DNS alias for the IP > address of the virtual web. Could that be causeing issues? > Everything is still on the same physical box. > > I have tried the following scenarios with the same result: > > * Add as an application under default web site and access via > http://servername/CRMUtilities > * Add as an Applicatrion under the CRM Virtual Web Site (hoping that > the windows auth would carry through). > * Hard-code the impersonating user that the extension site uses > * Hard code the credentials that the web service uses > > The server is set up to allow delegation in AD. > > Is there any way to debug why the credentials aren't being passed from > the ASP.NET app to the web service call? Am I missing something else? > > Does anyone have a recommended site/book/whatever for debugging and > troubleshooting Kerberos delegation? > > Thanks, > > Don > > =================================== > This list is hosted by DevelopMentorR http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor(r) http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor. http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor(r) http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > -- Ernst Kuschke MVP - C# http://dotnet.org.za/ernst =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
