Geeks With Blogs

News View Michael Stephenson's profile on BizTalk Blog Doc View Michael Stephenson's profile on LinkedIn

Michael Stephenson keeping your feet on premise while your heads in the cloud
 

Scenario

I was trying to implement the requirement to use Kerberos to sign and encrypt  the messages to and from a web service which was generated using the WSE 2 Web Service Publishing Wizard to expose a BizTalk Orchestration as a web service.

 

Problem

I had this all setup as I expected to work.  The SPN and everything seemed correct but when I called it I kept getting the following error message:

 

System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.Security.SecurityException: The Kerberos credential handle could not be acquired. The AcquireCredentialsHandle call returned the following error code: A specified logon session does not exist. It may already have been terminated.

.

   at Microsoft.Web.Services2.Security.Tokens.Kerberos.KerberosCredential..ctor(CredentialUse usage)

   at Microsoft.Web.Services2.Security.Tokens.Kerberos.KerberosServerContext.AcceptContext(Byte[] inToken, AscReq flags)

   at Microsoft.Web.Services2.Security.Tokens.Kerberos.KerberosServerContext..ctor(Byte[] inToken, AscReq flags)

   at Microsoft.Web.Services2.Security.Tokens.KerberosToken2.InitializeLifeTime()

   at Microsoft.Web.Services2.Security.Tokens.KerberosToken2.get_IsCurrent()

   at Microsoft.Web.Services2.Security.Security.LoadToken(XmlElement element, SecurityConfiguration configuration, Int32& tokenCount)

   at Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement element)

   at Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapEnvelope envelope)

   at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope envelope)

   at Microsoft.Web.Services2.Messaging.SoapReceiver.FilterMessage(SoapEnvelope envelope)

   at Microsoft.Web.Services2.Messaging.SoapReceiver.ProcessMessage(SoapEnvelope message)

The Zone of the assembly that failed was:

MyComputer

   --- End of inner exception stack trace ---

 

 

I spend a lot of time working with Microsoft to resolve this problem and we had validated all settings and went through various troubleshooting procedures to no avail.

 

Solution

Microsoft had a version of this scenario working in a lab and when trying to compare what they did against what I was doing we eventually found the cause of the problem.

 

Im not fully sure why this was the cause of the problem as I didn’t expect it to even come into play but basically if the IIS Anonymous User for the virtual directory is set as a local user then you get the error above.  If you change this to a domain user then it seems to work fine.  In my case I had set it to the domain user who was running the application pool and was also the credential for the BizTalk Isolated Host.

 

The following picture shows the settings that did not work.

 

 

 

 

The following picture shows the settings that work fine.

 

 

 

 

 

If I change it back it doesn’t work again.

 

An interesting point on this is in the sample we were running here we also had a C# hello world web service which sat in the same project as the BizTalk one.  We were calling the C# one first to test that before calling the BizTalk one.  Calls to the C# web service were not affected by the change of the anonymous user.

 

Summary

 

In summary I believe the following

 

1. In order to use Kerberos, WSE and a normal C# web service the anonymous user account doesn’t matter.  This just worked as it had all along once we got the SPN's correct.

2. For BizTalk to work with WSE AND Kerberos the anonymous user needs to be set as a domain user, in this case it is the same user that is also running the application pool and also the Biztalk isolated host so not sure if a standarrd domain user would be sufficient or if it has to be the same as the app pool and host but I think it is probably a good idea to make them so for consistency.

 

 

Acknowledgements

 

I would like to thank the following people at Microsoft who helped me resolve this issue:

 

  • Michael Koppenol
  • Jean Severino
Posted on Tuesday, February 6, 2007 10:15 PM BizTalk , .net 2 , Kerberos Adventures | Back to top


Comments on this post: Kerberos Adventures - Problem: Exposing an Orchestration from BizTalk with the WSE 2 Adapter and using Kerberos

# re: Kerberos Adventures - Problem: Exposing an Orchestration from BizTalk with the WSE 2 Adapter and using Kerberos
Requesting Gravatar...
if the string was not a valid date then i wanted to return the min date value.
Felicitaciones de Navidad 2016
Frases de Navidad 2016GTYF YIGTYRF
Left by DIPIKA on Dec 16, 2016 10:08 PM

# re: Kerberos Adventures - Problem: Exposing an Orchestration from BizTalk with the WSE 2 Adapter and using Kerberos
Requesting Gravatar...
WHAT AN AMZING POST ADMIN
mobdro for Windows
xender download app
Left by mobdro tv app for pc on May 12, 2017 7:12 PM

Your comment:
 (will show your gravatar)


Copyright © Michael Stephenson | Powered by: GeeksWithBlogs.net