Michael Stephenson

keeping your feet on premise while your heads in the cloud
posts - 352 , comments - 407 , trackbacks - 11

My Links

News

View Michael Stephenson's profile on BizTalk Blog Doc View Michael Stephenson's profile on LinkedIn

Twitter












Archives

Post Categories

Image Galleries

BizTalk

Mates

Using Kerberos with a BizTalk WSE 2 Web Service

Problem

I have exposed an orchestration as a web service using the WSE 2 web service publishing wizard. 
I am wanting to use kerberos to sign and encrypt the message, however i have turned off the server
policy as i dont want to force it as a requirement until i can get it to work.

When i call the web service as intended with a kerberos token signing and encrypting the message i
get the following error:


System.Web.Services.Protocols.SoapHeaderException: System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.Security.SecurityException: The handle for the current process could not be retrieved. The OpenProcessToken call returned the following error code: 0.
   at Microsoft.Web.Services2.Security.Tokens.Kerberos.LsaServerContext.AddTcbPrivilege()
   at Microsoft.Web.Services2.Security.Tokens.Kerberos.LsaServerContext.LogonUser(Byte[] inToken)
   at Microsoft.Web.Services2.Security.Tokens.Kerberos.LsaServerContext..ctor(Byte[] inToken)
   at Microsoft.Web.Services2.Security.Tokens.KerberosToken.InitializeLifeTime()
   at Microsoft.Web.Services2.Security.Tokens.KerberosToken.get_IsCurrent()
   at Microsoft.Web.Services2.Security.Security.LoadToken(XmlElement element, SecurityConfiguration configuration, Int32& tokenCount)
   at Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement element)
   at Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapEnvelope envelope)
   at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope envelope)
   at Microsoft.Web.Services2.Messaging.SoapReceiver.FilterMessage(SoapEnvelope envelope)
   at Microsoft.Web.Services2.Messaging.SoapReceiver.ProcessMessage(SoapEnvelope message)
The Zone of the assembly that failed was:
MyComputer
   --- End of inner exception stack trace ---
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.InvokeAsyncCallback(IAsyncResult result)

I have tried the following scenarios to try and identify what the problem is.


1. If i call the BizTalk web service without attaching a kerberos token and not encrypting or signing the
message it all works fine.  To me this proves that the WSE endpoint works and can be reached.

2. I have added a custom hello world type web service to the generated web service project.  I call this web service attaching a kerberos token then signing and encrypting the message with it.
This web service call works fine so to me this seems to indicate i have correctly setup the kerberos bit in that it can work.


Other notes

1. Both calls are using the same SPN host/machinename

2. I saw something on google which indicated the user needed permission to act as part of the operating system but this was only windows xp.  Well on this im actually developing on windows 2003, but i have also tried grantng this permission.  Although i dont think it should matter as i have already proved the kerberos can work with the hello world web service

3. The only real differences between the services is that the custom one is a standard asmx web service and the generated one is a wse receive end point (ashx) and is defined in the config to handle posts to a given url.  This is the way it is supposed to be for the adapter.

 

UPDATE

This issue has been resolved.  Its a bit of a strange one, but when i changed the anonymous user to the same user which was running the application pool then it worked exactly as it is supposed to.  I will be looking into this a little more but until then here is how it was setup.

The application pool in IIS, the Isolated Host in BizTalk and the anonymous user in IIS were all configured to use the same domain user.

 

Ive started a series of posts around this subject so check out here for more info:

http://geekswithblogs.net/michaelstephenson/archive/2007/02/02/105238.aspx

Print | posted on Friday, November 3, 2006 9:40 AM | Filed Under [ BizTalk ]

Feedback

Gravatar

# re: Using Kerberos with a BizTalk WSE 2 Web Service

lets try to impersonate first ... it means send request with admin privilege, then, get back to here.

4/29/2007 5:02 PM | Moiz
Post A Comment
Title:
Name:
Email:
Comment:
Verification:
 
 

Powered by: