Very late at night off the top of my head: - Your ASP.NET app needs to be running with impersonation = true - Your servers should be enlisted for Kerberos delegation (specifically the one running your ASP.NET app) - Setup IIS to allow Impersonation, with no Anonymous access
-Ernst On 3/1/06, Dominick Baier <[EMAIL PROTECTED]> wrote: > > Hi, > > to which URL is your web proxy set? > > > > cheers, > dominick > > ----------------------------- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > -----Original Message----- > From: Discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Don Stanley > Sent: Mittwoch, 1. März 2006 00:12 > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM > Subject: Re: [ADVANCED-DOTNET] ASP.NET Delegation > > One other thing - > > Does it matter that the server is being referenced by an "external" DNS > name? I've set up the ASP.NET app to use the address > http://crm.company.com, which just redirects to an internal IP address. > The server is actually a member of the domain company.local (this was done > to make the transition from internal to external easier). > > Does that make any difference? > > Don > > -----Original Message----- > From: Discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Dominick Baier > Sent: Tuesday, February 28, 2006 12:59 PM > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM > Subject: Re: [ADVANCED-DOTNET] ASP.NET Delegation > > Hi, > > first of all you should be sure which identity is used to call the web > service - > > output a WindowsIdentity.GetCurrent().Name before setting the credentials > - > is this account authorized for the web service? > > If the web service is on the same machine you are not delegating - anyhow > - > this is the best place for Kerberos delegation troubleshooting: > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog > ies/ > security/tkerbdel.mspx > > > > > cheers, > dominick > > ----------------------------- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > -----Original Message----- > From: Discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED] On Behalf Of Don Stanley > Sent: Dienstag, 28. Februar 2006 19:20 > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM > Subject: [ADVANCED-DOTNET] ASP.NET Delegation > > I am having trouble passing credentials from an ASP.NET application to a > web > service call on the same machine. The web service is for Microsoft CRM > 3.0, > and the code to access it is as follows: > > Web Project name: CRMUtilities > Web Reference: CRM > > // Standard CRM Service Setup > CRM.CrmService service = new CRM.CrmService(); // This should pull the > Windows credentials from the ASP.NET app service.Credentials = > System.Net.CredentialCache.DefaultCredentials; > > // set up columns (ID in particular) > ... > > try > { > newLead = (CRM.lead)service.Retrieve( > CRM.EntityName.lead.ToString(), > new Guid(_ObjectID),columns); > } > catch(SoapException soapException) > { > throw new Exception(soapException.Detail.InnerXml); > } > catch(Exception exception) > { > throw exception; > } > > > This works fine from my development workstation, but when I deploy to the > server, I get a 401:Unauthorized WebException. I am certain the exception > comes on the service.Retrieve call because if I comment out the "throw > exception" line in the second catch block it continues on (meaning the > service.Retrieve line is throwing the exception). The problem seems to be > that the credentials are not being passed to the web service call, because > in the IIS log the username is blank for the web service calls, but is > present for the ASP.NET app calls. > > One other thing to note: crm.company.com is a DNS alias for the IP > address > of the virtual web. Could that be causeing issues? Everything is still > on > the same physical box. > > I have tried the following scenarios with the same result: > > * Add as an application under default web site and access via > http://servername/CRMUtilities > * Add as an Applicatrion under the CRM Virtual Web Site (hoping that the > windows auth would carry through). > * Hard-code the impersonating user that the extension site uses > * Hard code the credentials that the web service uses > > The server is set up to allow delegation in AD. > > Is there any way to debug why the credentials aren't being passed from the > ASP.NET app to the web service call? Am I missing something else? > > Does anyone have a recommended site/book/whatever for debugging and > troubleshooting Kerberos delegation? > > Thanks, > > Don > > =================================== > This list is hosted by DevelopMentorR http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor(r) http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor. http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor(r) http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com > -- Ernst Kuschke MVP - C# http://dotnet.org.za/ernst =================================== This list is hosted by DevelopMentor® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
