locked
ANONYMOUS LOGON Web Server to WCF Web Service(Different Server) RRS feed

  • Question

  • Hi,

           I have facing login credentials lost web server to wcf web service(different server). I got correct data if i open my web site from Web Server but i got "403 forbidden" if i call from client pc or other server. I used domain account to run the web application for my own web site. Is it something wrong on my configuration at each server. I have no idea to how to make it to correct. I don't find correct answer on Google or bing. Foot in MouthHere is server information and SPN List. Please let me know if want to know more details.

    1. Domain Server

    2. CRM Server (Web Site is host on this server)

     - Enable Kernel Mode

    -  Windows authentication (1st - Negotiate, 2nd - Ntlm)

    - Impersonate

    - Application Pool (domain\account)

    3. ERP Server (WCF Web Services is host on this server - support kerberos + ntlm).

    - domain\account to run services.

    - constrained delegation to sql server

    4. SQL Server

    Here is SPN on each Server and Service Account

    SQL Server SPN List
    MSSQLSvc/WS08R2SP1-SQL.domain.local:1433
    MSSQLSvc/WS08R2SP1-SQL.domain.local
    WSMAN/WS08R2SP1-SQL
    WSMAN/WS08R2SP1-SQL.domain.local
    RestrictedKrbHost/WS08R2SP1-SQL
    RestrictedKrbHost/WS08R2SP1-SQL.domain.local
    HOST/WS08R2SP1-SQL
    HOST/WS08R2SP1-SQL.domain.local

    CRM Server SPN List
    TERMSRV/WS08R2SP1-CRM
    TERMSRV/WS08R2SP1-CRM.domain.local
    WSMAN/WS08R2SP1-CRM
    WSMAN/WS08R2SP1-CRM.domain.local
    RestrictedKrbHost/WS08R2SP1-CRM
    RestrictedKrbHost/WS08R2SP1-CRM.domain.local
    HOST/WS08R2SP1-CRM
    HOST/WS08R2SP1-CRM.domain.local

    ERP Server SPN List
    TERMSRV/WS08R2SP1-ERP
    TERMSRV/WS08R2SP1-ERP.domain.local
    WSMAN/WS08R2SP1-ERP
    WSMAN/WS08R2SP1-ERP.domain.local
    RestrictedKrbHost/WS08R2SP1-ERP
    RestrictedKrbHost/WS08R2SP1-ERP.domain.local
    HOST/WS08R2SP1-ERP
    HOST/WS08R2SP1-ERP.domain.local

    Domain\NavSvrAdmin (Running Navision Web Service Account) SPN List
    HTTP/WS08R2SP1-ERP.domain.local
    HTTP/WS08R2SP1-ERP
    NAV61-SG_Demo/WS08R2SP1-ERP.domain.local:7046
    NAV61-SG_Demo/WS08R2SP1-ERP:7046

    Here is login fail list on Web Server (CRM Server) using WinShark.


    Here is LogIn information on ERP Server. I got this log if i access my web site from client pc.

    ERP Server
    An account was successfully logged on.

    Subject:
        Security ID:        NULL SID
        Account Name:        -
        Account Domain:        -
        Logon ID:        0x0

    Logon Type:            3

    New Logon:
        Security ID:        ANONYMOUS LOGON
        Account Name:        ANONYMOUS LOGON
        Account Domain:        NT AUTHORITY
        Logon ID:        0x45e781
        Logon GUID:        {00000000-0000-0000-0000-000000000000}

    Process Information:
        Process ID:        0x0
        Process Name:        -

    Network Information:
        Workstation Name:    WS08R2SP1-CRM
        Source Network Address:    -
        Source Port:        -

    Detailed Authentication Information:
        Logon Process:        NtLmSsp
        Authentication Package:    NTLM
        Transited Services:    -
        Package Name (NTLM only):    NTLM V1
        Key Length:        128

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
        - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    SQL Server Properties Link 1 Link 2

    ERP Server Properties Link

    CRM Server Properties Link

        Please ignore my mistake if i post wrong place.

    Best Regards,


    Make Simple & Easy

    • Moved by Caillen Wednesday, April 15, 2015 8:46 AM
    Monday, April 6, 2015 12:38 PM

Answers

  • Legacy Web services and WCF services are discussed in the Services secition in the ASP.NET forum.

    http://forums.asp.net/

    • Proposed as answer by Caillen Tuesday, April 7, 2015 10:19 AM
    • Marked as answer by Just Karl Wednesday, April 15, 2015 8:24 PM
    Monday, April 6, 2015 1:45 PM