|
Posted by Joe Kaplan on February 4, 2008, 9:26 am
Please log in for more thread options
I've never been too clear on when exactly delegation will be required if the
services are on the same machine. It would be interesting to know what host
name is being used to reference the web service in the web service proxy
class and what IP address that resolves to.
I also wonder if it might have something to do with the services running
under different user accounts. I don't know about that either.
It would appear that something in this behavior has changed since RTM, but I
don't know what. I presume a bug has been fixed and perhaps your code was
exploiting the bug previously in order to work. I don't really know though.
My guess is that IIS is trying to do S4U because it thinks it needs Kerberos
credentials for the request for whatever reason, but I don't know if that's
true either.
Mysteries abound. :(
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
> Got more information.
>
> The AD is 2000 AD in native mode. All server accounts and user accounts
> (in AD) have "Trust computer for delegation" / "Account is trusted for
> delegation" set to OFF.
>
>
> The next question is, why the front end server tries to use the protocol
> transition/S4U from Ntlm to Kerberos?
>
> DCs don't support it and accounts are not marked for unconstrained
> delegation. The webservice is on the same server so why does it even try
> S4USelf? I haven't noticed this kind of behavior with 2003 RTM.
>
> I even checked the C# code. It doesn't do anything too "clever". Just
> the usual :
>
> ws.Credentials = System.Net.CredentialCache.DefaultCredentials;
>
>
>
>
> Tapio
| 
XML Sitemap