Moving my website to different server changes authentication from Kerberos to NTLM
I have a webservice that is configured for Windows Authentication. The client code that invokes the WS passes along the credentials to the WS as follows:
myWebService.Credentials = System.Net.CredentialCache.DefaultCredentials;
(my understanding is that this represents the username-password-domain of logged on user).
I am testing configuration issues and confused about how to ensure Kerberos is set.
DETAILS Follow:
I have 2 virtual directories on the same IIS server (one is a "client" with .aspx pages) and the other is the "server" (it hosts a webservice that the client invokes).
My client displays key info about the connecting user via this code:
private string GetUserInfo()
{
System.Security.Principal.WindowsIdentity UserIdentityInfo;
StringBuilder msg = new StringBuilder("User Name: ");
UserIdentityInfo = System.Security.Principal.WindowsIdentity.GetCurrent();
msg.Append(UserIdentityInfo.Name);
msg.Append(Environment.NewLine);
msg.Append(" Token: ");
msg.Append(UserIdentityInfo.Token.ToString());
msg.Append(Environment.NewLine);
msg.Append(" Authenticated: ");
msg.Append(UserIdentityInfo.AuthenticationType);
msg.Append(Environment.NewLine);
msg.Append(" System: ");
msg.Append(UserIdentityInfo.IsSystem);
msg.Append(Environment.NewLine);
msg.Append(" Guest: ");
msg.Append(UserIdentityInfo.IsGuest);
msg.Append(Environment.NewLine);
msg.Append(" Anonymous: ");
msg.Append(UserIdentityInfo.IsAnonymous);
msg.Append(Environment.NewLine);
return msg.ToString();
}
Authentication type is Kerberos when BOTH webclient and the called webservice are on the same server (eg. SERVER1). Actual execution works correctly too.
Authentication type changes 开发者_Python百科to NTLM when this same webclient code in invoked but it now resides on SERVER2. The called webservice still resides on the original server (SERVER1). Actual execution FAILS because the credentials are not correct.
SERVER1 and SERVER2 are on the same local area network (same DOMAIN) and the domain account I use for testing each scenario above is the same (I am in Administrators group on each machine).
How can I configure this so KERBEROS is the authentication type - that is, when this client on SERVER2 is invoked from a browser by "me"?
Please see my comment above. ServerFault site is perhaps better place for this question and sure enough a post there was quickly answered beautifully. Answer at:
https://serverfault.com/questions/270293/moving-my-website-to-different-server-changes-authentication-from-kerberos-to-ntl
精彩评论