I would, except "localhost" would go to the default web site for the server, but the web service is on a virtual web site (differentiated by IP address). I have tried accessing it by IP address with no success.
Thanks, Don -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Dominick Baier Sent: Wednesday, March 01, 2006 9:25 AM To: [email protected] Subject: Re: [ADVANCED-DOTNET] ASP.NET Delegation try using localhost for the web service - just to see what happens... cheers, dominick ----------------------------- Dominick Baier, DevelopMentor http://www.leastprivilege.com -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Don Stanley Sent: Mittwoch, 1. März 2006 16:10 To: [email protected] Subject: Re: [ADVANCED-DOTNET] ASP.NET Delegation Thanks for the responses. I'll answer all in one swoop: Impersonation is turned on in the config file: <identity impersonate="true"></identity> I have also tries hard-coding a username and password to no avail. The URL of the web service is http://crm.company.com/mscrmservices/2006/crmservice.asmx Which is correct - as I said, it works on my development workstation. Server is listed for delegation in AD (both services are on the same physical server, though) Both the ASP.NET app and the web service are set with no anonymous access - windows only. I have verified that the ASP.NET app is using the caller's identity. When I run it from my development workstation, the IIS log shows me as the caller; so for some reason, the server is not passing the credentials to the web service, which is on the same box! Very strange. I'm wondering if my DNS setup is the problem. I wonder if the server sees a request for a web service at crm.company.com, but doesn't knew that it IS crm.company.com since it's a DNS entry and not a computer name (i.e. a WINS entry) and therefore won't use Kerberos. I'm starting to grasp at straws here... Any other ideas? Don -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Dominick Baier Sent: Wednesday, March 01, 2006 2:31 AM To: [email protected] Subject: Re: [ADVANCED-DOTNET] ASP.NET Delegation Hi, if he is accessing a LOCAL resource - this is NOT delegation... very early in the morning - knowing for sure :)) cheers, dominick ----------------------------- Dominick Baier, DevelopMentor http://www.leastprivilege.com -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Ernst Kuschke Sent: Mittwoch, 1. März 2006 01:18 To: [email protected] Subject: Re: [ADVANCED-DOTNET] ASP.NET Delegation Very late at night off the top of my head: - Your ASP.NET app needs to be running with impersonation = true - Your servers should be enlisted for Kerberos delegation (specifically the one running your ASP.NET app) - Setup IIS to allow Impersonation, with no Anonymous access -Ernst On 3/1/06, Dominick Baier <[EMAIL PROTECTED]> wrote: > > Hi, > > to which URL is your web proxy set? > > > > cheers, > dominick > > ----------------------------- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > -----Original Message----- > From: Discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Don Stanley > Sent: Mittwoch, 1. März 2006 00:12 > To: [email protected] > Subject: Re: [ADVANCED-DOTNET] ASP.NET Delegation > > One other thing - > > Does it matter that the server is being referenced by an "external" > DNS name? I've set up the ASP.NET app to use the address > http://crm.company.com, which just redirects to an internal IP address. > The server is actually a member of the domain company.local (this was > done to make the transition from internal to external easier). > > Does that make any difference? > > Don > > -----Original Message----- > From: Discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Dominick > Baier > Sent: Tuesday, February 28, 2006 12:59 PM > To: [email protected] > Subject: Re: [ADVANCED-DOTNET] ASP.NET Delegation > > Hi, > > first of all you should be sure which identity is used to call the web > service - > > output a WindowsIdentity.GetCurrent().Name before setting the > credentials > - > is this account authorized for the web service? > > If the web service is on the same machine you are not delegating - > anyhow > - > this is the best place for Kerberos delegation troubleshooting: > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technol > og > ies/ > security/tkerbdel.mspx > > > > > cheers, > dominick > > ----------------------------- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > -----Original Message----- > From: Discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Don Stanley > Sent: Dienstag, 28. Februar 2006 19:20 > To: [email protected] > Subject: [ADVANCED-DOTNET] ASP.NET Delegation > > I am having trouble passing credentials from an ASP.NET application to > a web service call on the same machine. The web service is for > Microsoft CRM 3.0, and the code to access it is as follows: > > Web Project name: CRMUtilities > Web Reference: CRM > > // Standard CRM Service Setup > CRM.CrmService service = new CRM.CrmService(); // This should pull the > Windows credentials from the ASP.NET app service.Credentials = > System.Net.CredentialCache.DefaultCredentials; > > // set up columns (ID in particular) > ... > > try > { > newLead = (CRM.lead)service.Retrieve( > CRM.EntityName.lead.ToString(), > new Guid(_ObjectID),columns); > } > catch(SoapException soapException) > { > throw new Exception(soapException.Detail.InnerXml); > } > catch(Exception exception) > { > throw exception; > } > > > This works fine from my development workstation, but when I deploy to > the server, I get a 401:Unauthorized WebException. I am certain the > exception comes on the service.Retrieve call because if I comment out > the "throw exception" line in the second catch block it continues on > (meaning the service.Retrieve line is throwing the exception). The > problem seems to be that the credentials are not being passed to the > web service call, because in the IIS log the username is blank for the > web service calls, but is present for the ASP.NET app calls. > > One other thing to note: crm.company.com is a DNS alias for the IP > address of the virtual web. Could that be causeing issues? > Everything is still on the same physical box. > > I have tried the following scenarios with the same result: > > * Add as an application under default web site and access via > http://servername/CRMUtilities > * Add as an Applicatrion under the CRM Virtual Web Site (hoping that > the windows auth would carry through). > * Hard-code the impersonating user that the extension site uses > * Hard code the credentials that the web service uses > > The server is set up to allow delegation in AD. > > Is there any way to debug why the credentials aren't being passed from > the ASP.NET app to the web service call? Am I missing something else? > > Does anyone have a recommended site/book/whatever for debugging and > troubleshooting Kerberos delegation? > > Thanks, > > Don > > =================================== > This list is hosted by DevelopMentorR http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor(r) http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor. http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor(r) http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > -- Ernst Kuschke MVP - C# http://dotnet.org.za/ernst =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
