EWS and kerberos authentification

We need to run an application on a separate server from EWS and we are running Windows Authentification IWA on IIS 7.0 and CS server 10,0 with Directory services. We need that application to impersonate the user to connect to EWS on a separate server. As knows, the account running the application pool need to be delagated to impersonate a user then pass the kerberos ticket to the IIS running EWS. NTLM does not support multiple host hop, in this case we need to use Kerberos. So the question, does EWS support kerberos authentification?

Find more posts tagged with

Comments

Kyle_Swidrovich

Have you considered authenticating directly with OTDS and then using the OTDS token with ValidateUser to get a CWS token?

Guy_Pomerleau

We have not move yet to OTDS. We upgrade from 9.7.1 at the time so we did not want to change so we stick with Directory services. So is there a way to do impersonate with EWS.

Here the coding used by the programmer from our provider. Do you see something wrong:

<snip>

WindowsIdentity windowsIdentity = ServiceSecurityContext.Current.WindowsIdentity;

string impersonatedUser = windowsIdentity.Name;

LOGGER.Info(m => m("WindowsIdentity"));

LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Name : {0}", impersonatedUser)));

LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Is guest : {0}", windowsIdentity.IsGuest)));

LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Is anonymous : {0}", windowsIdentity.IsAnonymous)));

LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Is system :{0}", windowsIdentity.IsSystem)));

LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Is authenticated :{0}", windowsIdentity.IsAuthenticated)));

LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Impersonation level :{0}", windowsIdentity.ImpersonationLevel)));

bool isLogged;

try

{

WindowsImpersonationContext wic = windowsIdentity.Impersonate();

using (wic)

{

LivelinkCore.LivelinkAuthentication.OTAuthentication ota = new LivelinkCore.LivelinkAuthentication.OTAuthentication();

securityToken = authClient.ImpersonateUser(ref ota, impersonatedUser);

isLogged = StringToolkit.HasText(securityToken);

}

eLink User

Something on Kerberos https://knowledge.opentext.com/knowledge/cs.dll?func=ll&objId=18705225&objAction=ArticleView&viewType=1

Not sure if you just want to create a anonymous application /website and use Livelink authentication for impersonation?

If not depending on what exactly is the error returned "invalid username/password" you could try these permutations/combinations

NOT REALLY SAFE IF YOU ARE NOT IN A INTRANET(although what I am saying is in a KBA

But if you look here

?func=admin.securityvars this Cookie Authentication Information that determines how livelink will decrypt your cookie so the highest

is default with IP address of client successively you can turn it down so LL will become less finicky and less secure as well.So the last setting is a viable candidate for

you know what....

..appu appnair appunair

Well, if I called the wrongnumber, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

On Wed, Jan 13, 2016 at 8:54 AM, eLink Entry: Content Web Services Forum <otdncontentwebservices971forum@elinkkc.opentext.com> wrote:

RE EWS and kerberos authentification Posted byPomerleau, GuyOn 01/13/2016 09:52 AM

We have not move yet to OTDS. We upgrade from 9.7.1 at the time so we did not want to change so we stick with Directory services. So is there a way to do impersonate with EWS. Here the coding used by the programmer from our provider. Do you see something wrong: <snip> WindowsIdentity windowsIdentity = ServiceSecurityContext.Current.WindowsIdentity; string impersonatedUser = windowsIdentity.Name; LOGGER.Info(m => m("WindowsIdentity")); LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Name : {0}", impersonatedUser))); LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Is guest : {0}", windowsIdentity.IsGuest))); LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Is anonymous : {0}", windowsIdentity.IsAnonymous))); LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Is system :{0}", windowsIdentity.IsSystem))); LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Is authenticated :{0}", windowsIdentity.IsAuthenticated))); LOGGER.Info(m => m(string.Format(CultureInfo.InvariantCulture, "\t Impersonation level :{0}", windowsIdentity.ImpersonationLevel))); bool isLogged; try { WindowsImpersonationContext wic = windowsIdentity.Impersonate(); using (wic) { LivelinkCore.LivelinkAuthentication.OTAuthentication ota = new LivelinkCore.LivelinkAuthentication.OTAuthentication(); securityToken = authClient.ImpersonateUser(ref ota, impersonatedUser); isLogged = StringToolkit.HasText(securityToken); } }
[To post a comment, use the normal reply function]
Topic: EWS and kerberos authentification
Forum: Content Web Services Forum
Content Server: Knowledge Center

Guy_Pomerleau

here more detail about our scenario: we have a client that connect toi a .net apps running IIS windows authenticated and impersonate=true, the apps pass the windows token to a windows service running and domain account which then try to connect to livelink web service windows authenticated. So far I can't figure out why the "windows service" failed to pass the kerberos and instead connect NTLM. I don't know if it is the service that does not try to connect kerberos or it is the EWS that refuse to negotiate kerberos.

I know if I use my browser and I try: http://csweb1qa/les-services/authentication.svc I see livelink using kerberos and not NTLM so the "windows service" should be able to negotiate Kerberos. I did the SPN stuff, DNS host record and imperosnate on my IIS.

eLink User

I would use a more simplistic approach.If you have access to builder in that livelink server receiving the CWS call I would run it and have the client action.

I will illustrate it like this

LL Server (BoxA)

WS Server(BoxB) BoxB Web.Config is configured to talk to to BoxA on its lapi port(2099)

ClientAppCode(BoxC)

Now with builder running on BoxA or with( wantlapilogs=true,debug=2,wantlogs=trrue) execute the CWS call from BoxC

Do you see builder lines passing through which means that CWS has done the vetting and the error is coming from the real livelink server

Now if you know oscript you will be able to trace the error and provide remedies.

However if BoxA is not receiving it then BoxB is not relaying so it is whatver is wrong with your Kerberos stugff which I cannot comment as I don't know it.

In many orgs they usually run the LL server and WSAPI server on the same box but this logic can be used in any case.

theoretically if you employ IWA on BoxC and BoxB so that BoxB is running in the credential of a NTLM user known to livelink directory services configured

to do just the user name part it should work

However you may want to ascertain if it is indeed the LL server who is throwing the error or not.

This is kind of what Kyle said,you ask OTDS(BoxB) ,OTDS does the Kerberos(I have no idea?) exchange with DC & AD gets a valid ticket and hands it over to you on BoxC. BoxC send it to BoxA.

..appu appnair appunair

Well, if I called the wrongnumber, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

On Wed, Jan 13, 2016 at 11:34 AM, eLink Entry: Content Web Services Forum <otdncontentwebservices971forum@elinkkc.opentext.com> wrote:

Re RE EWS and kerberos authentification Posted byPomerleau, GuyOn 01/13/2016 12:25 PM

here more detail about our scenario: we have a client that connect toi a .net apps running IIS windows authenticated and impersonate=true, the apps pass the windows token to a windows service running and domain account which then try to connect to livelink web service windows authenticated. So far I can't figure out why the "windows service" failed to pass the kerberos and instead connect NTLM. I don't know if it is the service that does not try to connect kerberos or it is the EWS that refuse to negotiate kerberos. I know if I use my browser and I try: http://csweb1qa/les-services/authentication.svc I see livelink using kerberos and not NTLM so the "windows service" should be able to negotiate Kerberos. I did the SPN stuff, DNS host record and imperosnate on my IIS.
[To post a comment, use the normal reply function]Topic:EWS and kerberos authentificationForum:Content Web Services ForumContent Server:Knowledge Center

Guy_Pomerleau

Here what I have in my LES Logs:

BasicServiceContext[fServer=10.8.10.30,fServerPort=2099,fServerEncoding=UTF8]

2016-01-18 20:15:07,8286 TRACE [4] IRequestContext = BasicRequestContext[fClientIPAddress=10.8.18.21,fServiceToken=,]

2016-01-18 20:15:09,1996 TRACE [4] IRequestContext.ServiceToken =

2016-01-18 20:15:09,2492 TRACE [4] WindowsIdentify.Name=CSA\GPomerleau

2016-01-18 20:15:09,2492 TRACE [4] PrimaryIdentify.Name=CSA\GPomerleau

2016-01-18 20:15:09,2492 TRACE [4] begin: Authentication.ImpersonateUser(CSA\GPomerleau)

2016-01-18 20:15:09,7943 TRACE [4] ThrowLivelinkException( 903101,Core.InsufficientPermissionsToPerformThisAction,Insufficient permissions to perform this action.,,urn:Core.service.livelink.opentext.com)

2016-01-18 20:15:09,7943 WARN [4] Livelink error occurred

2016-01-18 20:15:09,7943 WARN [4] Status: 903101

2016-01-18 20:15:09,7943 WARN [4] Error Code: Core.InsufficientPermissionsToPerformThisAction

2016-01-18 20:15:09,7943 WARN [4] Error Message: Insufficient permissions to perform this action.

2016-01-18 20:15:09,7943 WARN [4] ApiError:

2016-01-18 20:15:09,8108 TRACE [4]

The web application is running under the application pool account: ccmserviceqa . I open this apps using my Windows account with IE: gpomerleau. SO my account gets to my Web apps, which try to call LES-services. I'm surpirser the windowsIdentity and PrimaryIdentiry are the same, I would have expected one to be the application pool service account and the other one be the caller account

eLink User

Are users in your livelink created like this "CSA\GPomerleau" ? or do you have the webauthentication configuration setting set to strip our Domain and just use the username.In any case the error to me looks like you are creating a impersonation user called Authentication.ImpersonateUser(CSA\GPomerleau)

and probably since such a user does not exist in your KUAF .Can you create a userid called "CSA\GPomerleau" in your livelink and see if it goes through if so ask support who will give you two patches that will correct the stripping part.I think I have seen this error before on 971 /10 directory services and wsapi.

.....appu appnair appunair

Well, if I called the wrongnumber, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

On Mon, Jan 18, 2016 at 7:45 PM, eLink Entry: Content Web Services Forum <otdncontentwebservices971forum@elinkkc.opentext.com> wrote:

Re Re RE EWS and kerberos authentification Posted byPomerleau, GuyOn 01/18/2016 08:43 PM

Here what I have in my LES Logs:BasicServiceContext[fServer=10.8.10.30,fServerPort=2099,fServerEncoding=UTF8]2016-01-18 20:15:07,8286 TRACE [4] IRequestContext = BasicRequestContext[fClientIPAddress=10.8.18.21,fServiceToken=,]2016-01-18 20:15:09,1996 TRACE [4] IRequestContext.ServiceToken = 2016-01-18 20:15:09,2492 TRACE [4] WindowsIdentify.Name=CSA\GPomerleau2016-01-18 20:15:09,2492 TRACE [4] PrimaryIdentify.Name=CSA\GPomerleau2016-01-18 20:15:09,2492 TRACE [4] begin: Authentication.ImpersonateUser(CSA\GPomerleau)2016-01-18 20:15:09,7943 TRACE [4] ThrowLivelinkException( 903101,Core.InsufficientPermissionsToPerformThisAction,Insufficient permissions to perform this action.,,urn:Core.service.livelink.opentext.com)2016-01-18 20:15:09,7943 WARN [4] Livelink error occurred2016-01-18 20:15:09,7943 WARN [4] Status: 9031012016-01-18 20:15:09,7943 WARN [4] Error Code: Core.InsufficientPermissionsToPerformThisAction2016-01-18 20:15:09,7943 WARN [4] Error Message: Insufficient permissions to perform this action.2016-01-18 20:15:09,7943 WARN [4] ApiError: 2016-01-18 20:15:09,8108 TRACE [4] The web application is running under the application pool account: ccmserviceqa . I open this apps using my Windows account with IE: gpomerleau. SO my account gets to my Web apps, which try to call LES-services. I'm surpirser the windowsIdentity and PrimaryIdentiry are the same, I would have expected one to be the application pool service account and the other one be the caller account
[To post a comment, use the normal reply function]
Topic: EWS and kerberos authentification
Forum: Content Web Services Forum
Content Server: Knowledge Center

eLink User

and one thing that is not clear to me is only a SYSADMIN profile user in livelink can impersonate another user so it is quite possible that ccmserviceqa is a SA in livelink if so it should be able to impersonate any user valid that is name wise and case wise in livelink.

.....appu appnair appunair

Well, if I called the wrongnumber, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

On Mon, Jan 18, 2016 at 8:05 PM, Krishnankutty Nair <appnair@gmail.com> wrote:

Are users in your livelink created like this "CSA\GPomerleau" ? or do you have the webauthentication configuration setting set to strip our Domain and just use the username.In any case the error to me looks like you are creating a impersonation user called Authentication.ImpersonateUser(CSA\GPomerleau)
and probably since such a user does not exist in your KUAF .Can you create a userid called "CSA\GPomerleau" in your livelink and see if it goes through if so ask support who will give you two patches that will correct the stripping part.I think I have seen this error before on 971 /10 directory services and wsapi.

.....appu appnair appunair

Well, if I called the wrongnumber, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937

On Mon, Jan 18, 2016 at 7:45 PM, eLink Entry: Content Web Services Forum <otdncontentwebservices971forum@elinkkc.opentext.com> wrote:
Re Re RE EWS and kerberos authentification Posted byPomerleau, GuyOn 01/18/2016 08:43 PM

Here what I have in my LES Logs:BasicServiceContext[fServer=10.8.10.30,fServerPort=2099,fServerEncoding=UTF8]2016-01-18 20:15:07,8286 TRACE [4] IRequestContext = BasicRequestContext[fClientIPAddress=10.8.18.21,fServiceToken=,]2016-01-18 20:15:09,1996 TRACE [4] IRequestContext.ServiceToken = 2016-01-18 20:15:09,2492 TRACE [4] WindowsIdentify.Name=CSA\GPomerleau2016-01-18 20:15:09,2492 TRACE [4] PrimaryIdentify.Name=CSA\GPomerleau2016-01-18 20:15:09,2492 TRACE [4] begin: Authentication.ImpersonateUser(CSA\GPomerleau)2016-01-18 20:15:09,7943 TRACE [4] ThrowLivelinkException( 903101,Core.InsufficientPermissionsToPerformThisAction,Insufficient permissions to perform this action.,,urn:Core.service.livelink.opentext.com)2016-01-18 20:15:09,7943 WARN [4] Livelink error occurred2016-01-18 20:15:09,7943 WARN [4] Status: 9031012016-01-18 20:15:09,7943 WARN [4] Error Code: Core.InsufficientPermissionsToPerformThisAction2016-01-18 20:15:09,7943 WARN [4] Error Message: Insufficient permissions to perform this action.2016-01-18 20:15:09,7943 WARN [4] ApiError: 2016-01-18 20:15:09,8108 TRACE [4] The web application is running under the application pool account: ccmserviceqa . I open this apps using my Windows account with IE: gpomerleau. SO my account gets to my Web apps, which try to call LES-services. I'm surpirser the windowsIdentity and PrimaryIdentiry are the same, I would have expected one to be the application pool service account and the other one be the caller account
[To post a comment, use the normal reply function]
Topic: EWS and kerberos authentification
Forum: Content Web Services Forum
Content Server: Knowledge Center