Michael Stephenson

keeping your feet on premise while your heads in the cloud
posts - 350 , comments - 406 , trackbacks - 11

My Links

News

View Michael Stephenson's profile on BizTalk Blog Doc View Michael Stephenson's profile on LinkedIn

Twitter












Archives

Post Categories

Image Galleries

BizTalk

Mates

Kerberos Adventures

Flowing a Windows Identity through Azure Service Bus Queues
Ive recently written a whitepaper about how you could flow the details of a Windows Identity through Windows Azure Service Bus Queues and then use that on-premise to act as that user when accessing downstream resources.The paper shows a walk through of setting up a complex scenario involving protocol translation, and kerberos multi-hop delegation to get the message from a queue with the identity associated and then to flow the identity through 2 WCF hops and then to impersonate the user when accessing ......

Posted On Friday, January 24, 2014 12:05 PM | Comments (0) | Filed Under [ Kerberos Adventures ]

Kerberos Multi-hop Delegation Troubleshooting Tale
One of our .net application teams has had a problem for quite a while that related to impersonation and kerberos multi-hop delegation which had proven quite difficult to resolve. We eventually resolved this and I thought it would be worth popping a little bit of information about it out there incase anyone else has similar problems. We had two web services with 2 methods which participate in a Kerberos multi-hop delegation scenario using WSE 2. One of the methods works fine all of the time and the ......

Posted On Friday, November 4, 2011 10:46 AM | Comments (0) | Filed Under [ Kerberos Adventures ]

Kerberos Adventures - Lessons Learned
The security stuff is pretty much complete so here are some random thoughts after this experience which might be useful to anyone else. Article Description POC Overview Details about the different proof of concepts we did to validate all of the different scenarios we require. Useful Links Some links to articles and blogs which will provide useful background information Useful Tools Links to tools which were useful to help troubleshooting this implementation Problems - Error Consuming a service from ......

Posted On Friday, February 9, 2007 6:31 PM | Comments (1) | Filed Under [ Kerberos Adventures ]

Kerberos Adventures - Problem: Exposing an Orchestration from BizTalk with the WSE 2 Adapter and using Kerberos
Scenario I was trying to implement the requirement to use Kerberos to sign and encrypt the messages to and from a web service which was generated using the WSE 2 Web Service Publishing Wizard to expose a BizTalk Orchestration as a web service. Problem I had this all setup as I expected to work. The SPN and everything seemed correct but when I called it I kept getting the following error message: System.Web.Services.Protoco... Server unavailable, please try later ---> System.Security.SecurityExc... ......

Posted On Tuesday, February 6, 2007 10:15 PM | Comments (1) | Filed Under [ Kerberos Adventures ]

Kerberos Adventures - Problem: 401 Unauthorised - User equals null
Scenario We were trying to implement a delegation scenario similar to the one in the POC (Web Services using Delegation). While implementing this we came across the problem where we seemed to not be passing the clients credentials. We constantly got the IIS 401 Unauthorized return code. Symptoms In this example we got some of the following symptoms: In the IIS Log of the back end service there would be no credential specified. When calling the back end service locally on the machine where it sits ......

Posted On Tuesday, February 6, 2007 10:07 PM | Comments (2) | Filed Under [ Kerberos Adventures ]

Kerberos Adventures - Problem: Error consuming web service from Windows XP SP2 client
Scenario We have a windows XP Client which is calling a .net 2 Web Service which uses WSE 2.0 SP3 on a remote Windows 2003 Server. When we make the call we get the following error message: "System.ApplicationException: InitializeSecurityContext call failed with the following error message: A specified logon session does not exist. It may already have been terminated." We only get this message when calling our web service from a client running Windows XP Service Pack 2. Symptoms You will get the following ......

Posted On Tuesday, February 6, 2007 10:04 PM | Comments (1) | Filed Under [ Kerberos Adventures ]

Kerberos Adventures - Overview
This post will provide an overview of the planned proof of concepts we have been working on to try and get this right. In this series of posts I intend to provide a step by step guide for setting up each of these scenarios. Or if there is a sufficient walk through already available I will point you to that. The proof of concepts I intend to cover are: Web Services secured with Kerberos This proof of concept aims to show we can create web services which can be secured with a Kerberos token. Web Services ......

Posted On Monday, February 5, 2007 9:38 PM | Comments (4) | Filed Under [ Kerberos Adventures ]

Kerberos Adventures - Useful Tools
The following tools proved useful in diagnosing problems with this Tool Description Link KerbTray http://support.microsoft.co... Windows 2003 Support Tools Contains the tool SETSPN which you need to register an SPN. Located on windows 2003 disk or at the following url: http://support.microsoft.co... WSE Trace Tool Provides a tool to look over the WSE Trace output files http://www.gotdotnet.com/wo... ......

Posted On Friday, February 2, 2007 12:46 PM | Comments (1) | Filed Under [ Kerberos Adventures ]

Kerberos Adventures - Useful Information Links
This post will list some of the sources of information I have found useful during my "Kerberos Adventures" Recommended Reading To help you get up to speed quickly I would recommend checking out the following resources. There are additional resources below. Kerberos Delegation Troubleshooting Guide Pretty much walks you through all of setting up a delegation scenario and will tell you how to do each step and what is going on in relation to a good sample. http://www.microsoft.com/te... ......

Posted On Friday, February 2, 2007 12:40 PM | Comments (2) | Filed Under [ Kerberos Adventures ]

Kerberos Adventures - Introduction
I am currently on a medium - large sized project where one of the things we are planning to do is use BizTalk and Web Services. Within the architecture we have plans to support credential flow across tiers. It has proven quite difficult to get this working and then doing things with BizTalk has added an additional twist which also proved tricky. During the course of working on resolving our issues and also setting up these proof of concepts I have found that there is useful information out there ......

Posted On Friday, February 2, 2007 12:38 PM | Comments (1) | Filed Under [ Kerberos Adventures ]

Powered by: