.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Register
 
Win Surprise Gifts!!!
Congratulations!!!


Top 5 Contributors of the Month
Easy Web
Imran Ghani
Post New Web Links

PrincipalContext and Kerberos

Posted By:      Posted Date: October 11, 2010    Points: 0   Category :ASP.Net
 

I have started to use the System.DirectoryServices.AccountManagement.PrincipalContext class to communicate with an Active Directory. E.g if I want to find information about a user I use UserPrincipal.FindByIdentity(PrincipalContext context.....). Or if I want to validate credentials I use PrincipalContext.ValidateCredentials. I use this code in different solutions, e.g. custom built ADMemberShipProvider, but have got "complaints" from the technicians that there are ldap calls without using Kerberos. I have tried different ContextOptions values but with no success. I found forum posts like this: http://www.netframeworkdev.com/net-base-class-library/systemdirectoryservicesaccountmanagementprincipalcontextvalidatecredentials-accepts-old-password-5027.shtml saying that the code beneath ends up in a LdapConnection with System.DirectoryServices.Protocols.AuthType.Negotiate.

By using Reflector I found that it ends up in this call to the System.DirectoryServices.AccountManagement.CredentialValidator class:

private


View Complete Post


More Related Resource Links

PrincipalContext and Kerberos

  

I have started to use the System.DirectoryServices.AccountManagement.PrincipalContext class to communicate with an Active Directory. E.g if I want to find information about a user I use UserPrincipal.FindByIdentity(PrincipalContext context.....). Or if I want to validate credentials I use PrincipalContext.ValidateCredentials. I use this code in different solutions, e.g. custom built ADMemberShipProvider, but have got "complaints" from the technicians that there are ldap calls without using Kerberos. I have tried different ContextOptions values but with no success. I found forum posts like this: http://www.netframeworkdev.com/net-base-class-library/systemdirectoryservicesaccountmanagementprincipalcontextvalidatecredentials-accepts-old-password-5027.shtml saying that the code beneath ends up in a LdapConnection with System.DirectoryServices.Protocols.AuthType.Negotiate.

By using Reflector I found that it ends up in this call to the System.DirectoryServices.AccountManagement.CredentialValidator class:

private

Security Briefs: Exploring S4U Kerberos Extensions in Windows Server 2003

  

Building Web sites that provide services external to the corporate firewall is tricky. Usually it's not desirable to grant corporate domain accounts to external clients, and from a purely practical standpoint Kerberos does not work well over the Internet due to the typical configuration of client-side firewalls.

Keith Brown

MSDN Magazine April 2003


Kerberos between MOSS 2007 and SSAS 2005

  

I realize this is probably going to be one of those vague questions that I am not going to get much help on here, but I thought I'd give this a shot before we go the MS Incident route on monday.

We have tried to setup Kerberos between MOSS 2007 AND SSAS 2005 to no avail.  We have been through the knowledge base articles outlining the setup multiple times with all the experts on MOSS and Security here where I work.  We've used other materials we have on kerberos here.  But the end result is that the double hop is not happening.  We are trying to connect three ways: excel services, ssrs 2005 in integrated mode, and Sharepoint KPI's (using analysis services).  In every case the connection is not happening.

Other details are that the ssrs integrated mode seems to be setup right because I do get a report (albiet all it has is a connection error message).  Excel services works fine if I use the unattended service account, but when I switch the odc file to windows (should cause kerberos to kick in) it fails.  When I try to add a kpi to the kpi list it can't retrieve a list of kpi's from ssas.

In all cases I am the user trying to perform these operations, and I have total access to the cube -- I'm the developer.  I have no problems connecting to the cube directly through excel, so the security at that end passes t

Trying to Configure Kerberos

  
Hello, I'm trying to configure Kerberos on a test environment. I have a Win2003 DC, a Win08 SQL 2008 machine, and a Win2003 client machine to test connectivity, with SSMS and ProClarity. Currently I have added the SPNs for MSSQLSVC and MSOLAP, and I'm trying to test connection using SSMS. From the client machine, I tried connecting to each server (DB Engine and OLAP), and checked the security log on the SQL machine to see the authentication method being used. The DB Engine connection seems to be working fine, having Kerberos all the time, yet for every time I connect to OLAP, I have two events entries first with NTLM, and then one with Kerberos. What does that mean? Is Kerberos not properly configured, or that's a normal behavior with SSAS? The Detailed Authentication Information for the events with NTLM, and the event with Kerberos are as follows: Logon Process: NTLMsp Authentication Package: NTLM Transited service: - Package Name (NTLM only): NTLM V1 Key Length: 128 -------------------------------------------- Detailed Authentication Information Logon Process: Kerberos Authentication Package: Kerberos Transited service: - Package Name (NTLM only): - Key Length: 0 -------------------------------------------- The SPNs added on the DC machine for the user used as service account for SSAS are as follows: MSOLAPSVC.4/BISQL08 MSOLAPSVC.4/BISQL08.BIDC.com   Thanks,

Kerberos issue with SQL Reporting Services 2005 on Server 2003 R2

  
Hi Guys,apologies if this is the incorrect forum, so moderators, feel free to move it to SQL/IIS/SharePoint as appropriate... [Windows Server Security moderator pushed me this direction]I have a test environment that I'm trying to get SQL Reporting Services 2005 SP3 working in integrated mode with SharePoint 2007 SP2.The environment is all in VMWare, running Server 2003 R2 x86 and is layed out like this:SERVER A:AD/DNS/DHCPSERVER B:SQL 2005 SP3 CU8SERVER C:SharePoint 2007 SP2 Dec 09 CU- Central admin on port 9000- SSP on port 9001- MySite on port 81- Main Content on port 80SQL Reporting Services 2005 SP3 CU8- Reporting Service website on port 82SERVER D:SharePoint 2007 SP2 Dec 09 CU- Central admin on port 9000- SSP on port 9001- MySite on port 81- Main Content on port 80SQL Reporting Services 2005 SP3 CU8- Reporting Service website on port 82Through the use of DNS and (SharePoint) Alternate Access Names, SERVER D is used to deliver the Main Content in SharePoint and the Reporting Service website.  SERVER C is used to deliver the Central Admin, SSP and MySite.I've set up SPN's for the SharePoint App Pools, using the following: [main content] setspn -S HTTP/SERVERA DOMAIN\AppPoolUserA setspn -S HTTP/SERVERA.FQDN DOMAIN\AppPoolUserA setspn -S HTTP/SERVERB DOMAIN\AppPoolUserA setspn -S HTTP/SERVERB.FQDN DOMAIN\AppPoolUserA [repor

Claims won't take Kerberos

  
So, we want to use Claims authentication and Kerberos when creating web applications in SharePoint 2010. Now this is easy to set up in central admin, but we struggle doing it using powershell: New-SPWebApplication -Name Testing123 -ApplicationPool SharePointApplicationAppPool -AuthenticationProvider (New-SPAuthenticationProvider) -AuthenticationMethod Kerberos results in CLAIMS using NTLM. It seems like -AuthenticationProvider (New-SPAuthenticationProvider) is forcing NTLM, and -AuthenticationMethod Kerberos is not taken into consideration. And the New-SPAuthenticationProvider does not have an -AuthenticationMethod parameter, so how can we get Claims with Kerberos? Any tips appreciated!

Windows 2008 R2 kerberos authentication

  
Hi i have install windows 200R2 with blackpearl but i have this issue with Kerberos Authentication the same account when using ie8 on the local machine allows me to login while the same credientials using ie7 & ie8 on remote machine will keep prompting for credentials; any advise on this?

Integrated SSRS and kerberos working great.But one user gets An unexpected error occurred while conn

  
I have this one user who can access SharePoint with no problems otherwise but is getting errorAn unexpected error occurred while connecting to the report server When they try to access an SSRS reports I confirmed he has access. Client issue? AD Account issue?Thanks.

System.DirectoryServices.AccountManagement: FileNotFound exception while creating PrincipalContext o

  
Hi, I want to create a local group for my Netapp server. And also add a domain user under this group. Using .NET namepaces System.DirectoryServices.AccountManagement, I can achive this for Windows server. But if the same code is tried on NetApp, following exception is thrown: Unhandled Exception: System.IO.FileNotFoundException: The system cannot find the file specified. (Exception from HRESULT: 0x80070002)   at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.GetInfo()   at System.DirectoryServices.DirectoryEntry.RefreshCache()   at System.DirectoryServices.AccountManagement.PrincipalContext.DoMachineInit()   at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()   at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()    at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue)   at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, String identityValue)   at AddGroup.Program.Main(String[] args) Does S

MOSS, Kerberos, and IIS7

  
Hi All, Done a ton of research and am still confused as to whether or not setspn needs to be run or not, and what it needs to be run for (machine name vs service account for app pool) We have 1 WFE, MOSS 2007 SP2 on a Windows 2K8 server with a SQL 2K8 separate back-end. We do not run the application pools under the network service.  We do use IPs and custom host names for the sites themselves. Can someone point me to a good article that kind of goes step by step for 2K8?  I found a Microsoft one, but that was a little confusing as it had BOTH 2K3 and 2K8 directions all mixed up.  Even our network admin was scratching his head over that one. Thanks! Veronica

Kerberos Authentication with WCF Client Fault Exception

  
Hello, I am using Kerberos as the Authentication mode for a WCF Client to interact with an ASMX Web Service. I am using customBinding in the WCF Client. I am getting the below mentioned Fault Exception when I invoke the HelloWorld Method by creating a Proxy using SVCUTIL.   System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE841: An error occured processing an outgoing fault response. ---> System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.InvalidOperationException: WSE914: This instance of derived key token does not support encryption, decryption, or key wrapping. It can only be used to sign or verify signature. Please make sure that the length of the derived key matches the length of the key required by the symmetric encryption algorithm configured for the derived key token manager.    at Microsoft.Web.Services3.Security.Tokens.DerivedKeyToken.Psha1SymmetricKeyAlgorithm.get_EncryptionFormatter()    at Microsoft.Web.Services3.Security.EncryptedData.ResolveDecryptionKey(String algorithmUri, KeyInfo keyInfo)    at Microsoft.Web.Services3.Security.EncryptedData.Decrypt(XmlElement encryptedElement)    at Microsoft.Web.Services3.Security.EncryptedData.Decrypt() &nbs

Issues with Kerberos and SQL Server failover-cluster

  
I have a dual-instance SQL 2008 SP1 2-node Failover-cluster running on Server 2008 x64 SP2. SPNs have been manually created in AD for the service account running SQL Server (on both nodes).When the cluster nodes first boot up and the virtual groups come online, everything works flawlessly. I have linked server connections set up between the two instances of SQL server, with one instance running on each node. I can successfully make linked server connections from one instance to another from a third client PC, indicating Kerberos is working successfully, which is great!Problem is, this all stops working as soon as one of the SQL cluster groups fails over (or is taken offline, and moved to the other node). As soon as this happens, all authentications seems to fall back to NTLM. Of course, running both instances on the same physical node will work since Kerberos is not required for this. But as soon as an instance moves to another node - kerberos seems to be permenantly broken for that instance, even if moved back to its original node, until both nodes are rebooted again.One thing to note - the service account running SQL server is not a domain admin. This of course prevents SQL server from auto-registering the SPN upon startup and generates the following in the SQL log: "The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL

WCF Kerberos Authentication Custom Binding

  
Hello,I am using Kerberos as the Authentication mode for a WCF Client to interact with an ASMX Web Service. I am using customBinding in the WCF Client. I am getting the below mentioned Fault Exception when I invoke the HelloWorld Method by creating a Proxy using SVCUTIL. `System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE841: An error occured processing an outgoing fault response. ---> System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.InvalidOperationException: WSE914: This instance of derived key token does not support encryption, decryption, or key wrapping. It can only be used to sign or verify signature. Please make sure that the length of the derived key matches the length of the key required by the symmetric encryption algorithm configured for the derived key token manager.    at Microsoft.Web.Services3.Security.Tokens.DerivedKeyToken.Psha1SymmetricKeyAlgorithm.get_EncryptionFormatter()   at Microsoft.Web.Services3.Security.EncryptedData.ResolveDecryptionKey(String algorithmUri, KeyInfo keyInfo)   at Microsoft.Web.Services3.Security.EncryptedData.Decrypt(XmlElement encryptedElement)   at Microsoft.Web.Services3.Security.EncryptedData.Decrypt()   at Mic

Excel Services, Kerberos, and cube access

  

Hello Sharepoint experts:

I'm testing our recently set up Kerberos with Sharepoint, Excel Services, and some SSAS Cubes.

I create an Excel Pivot table using a Trusted Connection to a cube, the "Refresh Data when opening file" is checked. The file is published to a Trusted Excel Services location in Sharepoint. I then create a Dashboard and add an Excel Web Part to display that pivot table. All works fine on my machine. When I get another user (one who does NOT have access to this cube) to go to the Dashboard page, that user can see all the data in the Pivot table.

If I then DELETE the cube that the Pivot table is based on, when the user (who never had access to it in the first place) goes to the Dashboard page, they get an error stating that the source may be unreachable or that access may be denied. This error is expected. But what I DON'T expect is to NOT receive an error the first time

Seems that even if the user does NOT have access to the cube, Excel Services still lets them see the 'last saved version of the file' even though it is supposed to query the database for new results every time.

AND when I restore the cube WITH CHANGES, that user can then not only see the pivot table again, they can see the recent changes, even though the original file in Trusted Excel Services Locations was never updated.

Is it possi

kerberos authentication

  

Hi ALL,

I am new to ASP.Net web application and I need to learn Kerberos authentication urgently. I have gone thorugh the basic mechanism of it but I need a sample project to learn the kerberos authentication. Can anybody please help me in these...

Suppose, a web page containg text boxes for user Id and password..and when the form is submitted, Kerberos authentication is done for that user...a simple web application that uses kerberos authenticatino.

can anybody please help me by providing this type of sample application so that the coding part can be understood. 


Java Application with SSRS 2008 (Kerberos Enabled)

  

Hi,

On one of our Dev Instances we have enabled kerberos by setting up SPN's,changing the authentication type,delegation etc. We have on java app which simple calls the reporting services by url of the report and uses a domain account to connect to reporting services. Some how after the kerberos change the java app is not able to connect and we get a 401 error.

I checked the logs and it seems that the java app is not even able to make a request to the report server computer as I cant see any log of access denied. Below is the authentication tag of report server config file :

<AuthenticationTypes>
      <RSWindowsNegotiate/>
</AuthenticationTypes>

and web.config :

    <authentication mode="Windows" />
    <identity impersonate="true" />

Can someone suggest how to proceed?

 


Categories: 
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend