Michael Stephenson

Microsoft BPM/SOA Adventures
posts - 187, comments - 188, trackbacks - 15

My Links

News

View Michael Stephenson's profile on BizTalk Blog Doc View Michael Stephenson's profile on LinkedIn

Archives

Post Categories

Image Galleries

BizTalk

Mates
<< Kerberos Adventures - Problem: Error consuming web service from Windows XP SP2 client | Home

Kerberos Adventures - Problem: 401 Unauthorised - User equals null

 

Scenario

We were trying to implement a delegation scenario similar to the one in the POC (Web Services using Delegation).  While implementing this we came across the problem where we seemed to not be passing the clients credentials.  We constantly got the IIS 401 Unauthorized return code.

 

 

Symptoms

In this example we got some of the following symptoms:

 

  1. In the IIS Log of the back end service there would be no credential specified.
  2. When calling the back end service locally on the machine where it sits it seemed to work but not when called from another machine.

 

Troubleshooting Tips

I found that the easiest way to help get this right was to firstly focus on getting the IIS and AD setup correct before starting to use your code.  I placed a simple asp page in the backend servers virtual directory and wanted to browse to that from the other machine.  Doing this would show I could delegate my credentials fine from one machine to another.

 

Solution

The problem was caused because I did not have this setup correctly in AD and IIS.  Basically I had the application pool running as a Network Service local account.  To get this working I took the following steps.

 

  1. Have a domain account which you plan to run the IIS Application Pool as.  This will need to be in groups such as IIS_WPG
  2. Register the SPN for the HTTP service on the back end server against the domain account which will be running the back end application pool. 

(Eg:  SetSpn -a HTTP/<MachineName> <Service User> ). 

  1. In AD setup delegation for the service user running your middle tier application pool to be able to delegate to the SPN you have previously setup.

 

The following diagram shows where these changes relate to the architecture:

 

 

 

Points To Notes

The following are a couple of points to note incase they are not explained clearly enough above:

 

  • The network service account worked okay when you are calling on the same box but when we were delegating across machines the back end service needs to run in an application pool with runs as a domain account
  • When registering the SPN it is the HTTP service and should be registered against the domain account not the machine object in AD.

Print | posted on Tuesday, February 06, 2007 10:07 PM | Filed Under [ .net 2 Kerberos Adventures ]

Feedback

No comments posted yet.
Post A Comment
Title:
Name:
Email:
Website:
Comment:
Verification:
 

Powered by:

Copyright © Michael Stephenson