RE: making a Web Request from my server

Hi MC,

As for this issue, since you mentioned that the webrequest call in VS Test
Server works, but fails in deployment environment(in IIS), I think it is
likely caused by security account problem.

When running in VS Test Server, the application is running under your logon
user account(maybe a domain account) that can be forwarded to remote
machine.

However, in IIS server, the running process account is IIS service account
which maybe a local account. As you said that you've use "windows
authentication" and impersonate the client user. This can only make the
worker thread (for processing each requesty) running under the client
impersonated user, but if you make remote access(such as webrequest call or
access remote file share), the security identity impersonated from client
authenticated user can not be forwarded to a further remote machine. This
is called "double hop" limitation.

For your scenario, I think the reasonable way to resolve the problem is
either:

** use a domain account as the process account for your ASP.NET application
in IIS
** programmatically impersonate(need username password credentials) when
you want to send remote webrequest call

#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998351.aspx

If you want more info about double hop issue, you can have a look at the
following links:

http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx

http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
>Date: Tue, 18 Dec 2007 09:17:30 +0000
>From: mc
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>Subject: making a Web Request from my server
>
>I would like to offer a section on my page which will show the "Status" of
other servers on the
>network, My plan was to identify a specific image on each server I want to
test, do a WebRequest for
>that image, and return true If I could get that image. This works when
using the VS webserver but
>not on my "Live" server all machines will require authentication.
>
>The code currently throws a 401 error?
>
>Can someone tell me what is going wrong? The server is currently
configured to use Impersonation
>with Windows Auth. (I've checked User.Indentity.Name from the function and
it thinks it's running as
>a valid user account
>
>Alternativly does someone have a better solution for testing to see if a
web server is running on a
>machine?
>
>--- My Code ---
>private bool CheckUri(string p){
> WebRequest theRequest = WebRequest.Create(p);
> theRequest.Credentials =
System.Net.CredentialCache.DefaultCredentials;
> try{
> HttpWebResponse theResponse =
(HttpWebResponse)theRequest.GetResponse();
> return true;
> }
> catch{
> return false;
> }
>}
>
>
>TIA
>
>
>MC
>

RE: making a Web Request from my server

Hi MC,

Any progress on this issue? If there is anything else we can help, please
feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Date: Wed, 19 Dec 2007 03:14:28 GMT
>Subject: RE: making a Web Request from my server

>
>Hi MC,
>
>As for this issue, since you mentioned that the webrequest call in VS Test
>Server works, but fails in deployment environment(in IIS), I think it is
>likely caused by security account problem.
>
>When running in VS Test Server, the application is running under your
logon
>user account(maybe a domain account) that can be forwarded to remote
>machine.
>
>However, in IIS server, the running process account is IIS service account
>which maybe a local account. As you said that you've use "windows
>authentication" and impersonate the client user. This can only make the
>worker thread (for processing each requesty) running under the client
>impersonated user, but if you make remote access(such as webrequest call
or
>access remote file share), the security identity impersonated from client
>authenticated user can not be forwarded to a further remote machine. This
>is called "double hop" limitation.
>
>For your scenario, I think the reasonable way to resolve the problem is
>either:
>
>** use a domain account as the process account for your ASP.NET
application
>in IIS
>** programmatically impersonate(need username password credentials) when
>you want to send remote webrequest call
>
>#How To: Use Impersonation and Delegation in ASP.NET 2.0
>http://msdn2.microsoft.com/en-us/library/ms998351.aspx
>
>If you want more info about double hop issue, you can have a look at the
>following links:
>
>http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.asp x
>
>http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx
>
>Sincerely,
>
>Steven Cheng
>
>Microsoft MSDN Online Support Lead
>
>
>

Re: making a Web Request from my server

Sorry this one dropped off my radar slightly.

I'm aware of the Double hop issue and thought I had it covered, we currently authenticate via the
same server against remote databases as the impersonated user fine.

If we assume (and I know it's a big assumption) that I've got the kerberos setting of the
originating web server correct. Would I need to reconfigure the servers That I'm connecting to?

This is now a purely academic question as it's unlikely that I will have the time (and funding) to
compete as planned.

The interim solution was to open a raw TCP/IP socket to port 80, if it fails assume the system is
down. This is mostly successful but doesn't deal with an app pool that has been suspend as that
still accepts connections.


Steven Cheng[MSFT] wrote:
> Hi MC,
>
> Any progress on this issue? If there is anything else we can help, please
> feel free to post here.
>
> Sincerely,
>
> Steven Cheng
>
> Microsoft MSDN Online Support Lead
>
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> --------------------
>
>>Date: Wed, 19 Dec 2007 03:14:28 GMT
>>Subject: RE: making a Web Request from my server
>
>
>>Hi MC,
>>
>>As for this issue, since you mentioned that the webrequest call in VS Test
>>Server works, but fails in deployment environment(in IIS), I think it is
>>likely caused by security account problem.
>>
>>When running in VS Test Server, the application is running under your
>
> logon
>
>>user account(maybe a domain account) that can be forwarded to remote
>>machine.
>>
>>However, in IIS server, the running process account is IIS service account
>>which maybe a local account. As you said that you've use "windows
>>authentication" and impersonate the client user. This can only make the
>>worker thread (for processing each requesty) running under the client
>>impersonated user, but if you make remote access(such as webrequest call
>
> or
>
>>access remote file share), the security identity impersonated from client
>>authenticated user can not be forwarded to a further remote machine. This
>>is called "double hop" limitation.
>>
>>For your scenario, I think the reasonable way to resolve the problem is
>>either:
>>
>>** use a domain account as the process account for your ASP.NET
>
> application
>
>>in IIS
>>** programmatically impersonate(need username password credentials) when
>>you want to send remote webrequest call
>>
>>#How To: Use Impersonation and Delegation in ASP.NET 2.0
>>http://msdn2.microsoft.com/en-us/library/ms998351.aspx
>>
>>If you want more info about double hop issue, you can have a look at the
>>following links:
>>
>>http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.as px
>>
>>http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx
>>
>>Sincerely,
>>
>>Steven Cheng
>>
>>Microsoft MSDN Online Support Lead
>>
>>
>>
>
>

Re: making a Web Request from my server

Thanks for your reply MC,

Yes, kerberos would be one possible approach for double hop cases. However,
it is quite complex and tight coupled for you to involve kerberos
delegation in your distributed environment. You need to perform configure
from client to webserver to the backend server(the domain account, server
machine principal accounts...).

If you do want a try, you can have a look at the following reference about
using and troubleshooting kerberos delegation cases:

#How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/kb/810572

#Troubleshooting Kerberos Delegation
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/
security/tkerbdel.mspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
>Date: Wed, 09 Jan 2008 12:03:47 +0000
>From: mc
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>Subject: Re: making a Web Request from my server

>
>Sorry this one dropped off my radar slightly.
>
>I'm aware of the Double hop issue and thought I had it covered, we
currently authenticate via the
>same server against remote databases as the impersonated user fine.
>
>If we assume (and I know it's a big assumption) that I've got the kerberos
setting of the
>originating web server correct. Would I need to reconfigure the servers
That I'm connecting to?
>
>This is now a purely academic question as it's unlikely that I will have
the time (and funding) to
>compete as planned.
>
>The interim solution was to open a raw TCP/IP socket to port 80, if it
fails assume the system is
>down. This is mostly successful but doesn't deal with an app pool that has
been suspend as that
>still accepts connections.
>
>
>Steven Cheng[MSFT] wrote:
>> Hi MC,
>>
>> Any progress on this issue? If there is anything else we can help,
please
>> feel free to post here.
>>
>> Sincerely,
>>
>> Steven Cheng
>>
>> Microsoft MSDN Online Support Lead
>>
>>
>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>> --------------------
>

Re: making a Web Request from my server

Hi MC,

Do you have any further questions on this? If so, please feel free to post
here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
>From: stcheng@online.microsoft.com (Steven Cheng[MSFT])
>Organization: Microsoft
>Date: Thu, 10 Jan 2008 02:42:53 GMT
>Subject: Re: making a Web Request from my server

>Thanks for your reply MC,
>
>Yes, kerberos would be one possible approach for double hop cases.
However,
>it is quite complex and tight coupled for you to involve kerberos
>delegation in your distributed environment. You need to perform configure
>from client to webserver to the backend server(the domain account, server
>machine principal accounts...).
>
>If you do want a try, you can have a look at the following reference about
>using and troubleshooting kerberos delegation cases:
>
>#How to configure an ASP.NET application for a delegation scenario
>http://support.microsoft.com/kb/810572
>
>#Troubleshooting Kerberos Delegation
>http://www.microsoft.com/technet/prodtechnol/windowsserver2 003/technologies
/
>security/tkerbdel.mspx
>
>Sincerely,
>
>Steven Cheng
>
>Microsoft MSDN Online Support Lead
>
>
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>
>
>--------------------
>>Date: Wed, 09 Jan 2008 12:03:47 +0000
>>From: mc
>>Newsgroups: microsoft.public.dotnet.framework.aspnet
>>Subject: Re: making a Web Request from my server
>
>>
>>Sorry this one dropped off my radar slightly.
>>
>>I'm aware of the Double hop issue and thought I had it covered, we
>currently authenticate via the
>>same server against remote databases as the impersonated user fine.
>>
>>If we assume (and I know it's a big assumption) that I've got the
kerberos
>setting of the
>>originating web server correct. Would I need to reconfigure the servers
>That I'm connecting to?
>>
>>This is now a purely academic question as it's unlikely that I will have
>the time (and funding) to
>>compete as planned.
>>
>>The interim solution was to open a raw TCP/IP socket to port 80, if it
>fails assume the system is
>>down. This is mostly successful but doesn't deal with an app pool that
has
>been suspend as that
>>still accepts connections.
>>
>>
>>Steven Cheng[MSFT] wrote:
>>> Hi MC,
>>>
>>> Any progress on this issue? If there is anything else we can help,
>please
>>> feel free to post here.
>>>
>>> Sincerely,
>>>
>>> Steven Cheng
>>>
>>> Microsoft MSDN Online Support Lead
>>>
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>rights.
>>> --------------------
>>
>
>