Flowing windows credentials

Topics: Technical Questions
Jun 25, 2009 at 6:44 PM

Hi,

I'm testing the "Flowing Windows Credentials through MSE" walkthrough.

It works ok when the service is running on the same machine as the MSE (Server A).  But when I move the service to a different machine (Server B) I get this error:

mseTraceSrc Error: 0 : Error in Broker delegate: The HTTP request was forbidden with client authentication scheme 'Negotiate'

Do you know what the problem is?

p.s. Server B has "Trust this computer for delegation..."

Thanks

Developer
Jul 7, 2009 at 7:43 PM

Asside from making sure the infrastructure and user accounts are setup to support kerberos authentication and delegation, you'd also need to make sure that in the Service Tester you set the Impersonation level to Delegation before submitting the request.  The client must allow his/her credentials to be used for delegation (the default is Identification).

As for general troubleshooting of delegation you can start here:

http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx

http://blogs.technet.com/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx

 

Jul 8, 2009 at 2:11 PM
Edited Jul 8, 2009 at 2:11 PM

Thanks botto,

Finally got this working.  Getting delegation to work is always a pain (somehow I keep forgetting that).  The only thing that I had to do that was specific for the MSE was extending the channel moniker to provide a spn when calling the service.

Few points for those that are trying the same thing:
- Both servers had to be set up for delegation (MSE server and the server hosting the service)
- Both servers had to have a valid service principle name (spn).
- The client had to provide a valid service principle name (spn) this is done in the config file ( if I didn't provide that the authentication would use NTLM instead of kerberos and NTLM doesn't allow delegation)
- The client has to set the impersonationlevel to Delegation
- Also had to set the Service principle name when the MSE runtime is calling the service on Server B.  This is done by creating a custom channel moniker.

p.s. Is it possible to set a spn for the MSE Service Tester?  I couldn't find it, so I had to create my own test client.