none
Error : Logon failure: unknown user name or bad password. RRS feed

  • Question

  • I’m facing a problem while running an application using CSF OHSBE

    I’m getting the following error in the PSM o/p trace
    "Microsoft.Web.Services3.Security.SecurityFault: An invalid security token was provided ---> System.Security.SecurityException: WSE594: AcceptSecurityContext call failed with the following error message: Logon failure: unknown user name or bad password."

    The PSM web service that I’m using is the MockPSM provided under OHSBE and I’m using the foll policy:

    In SBEPolicy.config  found in OHSBE Services\bin, Kerberos token is used as foll :

    <policy name="ProductServiceMappingClientPolicy">
     <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
                    <token>
              <kerberos targetPrincipal="MS-PRACTICE/OHSBE-Service" impersonationLevel="Identification" />
            </token>
             <protection>
               <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
               <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
               <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
             </protection>
            </kerberosSecurity>
     <requireActionHeader />
    </policy>

     

    In PSMPolicy.config found in MockPSM\bin, usernametoken is used as foll :

    <policy name="ProductServiceMappingClientPolicy">
        <usernameOverTransportSecurity>
          <clientToken>
     <username username="ms-practice\OHSBE-Service" password="p@ssw0rd123" />
          </clientToken>
        </usernameOverTransportSecurity>
    </policy>

    Could the error be because 2 different token’s are used? ..
    However I have tried the using the same tokens - both Kerberos and usernames for both sides.
    Still facing issues.

    What was the approach to be used?
    Do I need to do any explicit spn setting for PSM?

    Wednesday, March 21, 2007 1:10 PM

Answers

  • Policies should match on both ends.  So if you decide to use Kerberos, then copy the policy defintition that SBEPolicy.config to PSM PSMPolicy.config.  So itr should like following. Also you have to create SPN using setspn.exe for the account that runs PSM and specify it in ProductServiceMappingClientPolicy of SBEPolicy.config .

     

     

    <policy name="ProductServiceMappingClientPolicy">
     <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
                           <protection>
               <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
               <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
               <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
             </protection>
            </kerberosSecurity>
     <requireActionHeader />
    </policy>
    Tuesday, April 24, 2007 1:15 AM

All replies

  • Hi .. Still stuck at this problem Sad The error is thrown at the PSM component, and it is related to security tokens. My guess is that this error is coz there is some configuration problem at my end. I have run of options in trying to troubleshoot this problem. Sad

    Any input for solving this problem would be useful.

    Tuesday, March 27, 2007 12:45 PM
  • Hi,

     

    I suppose, the token that you are sending from the PSM service needs to be the same as it is in SBEPolicy.config for the OHSBEServicePolicy as follows:

     

    <!-- Policy of OH-SBE Service -->

    <policy name="OHSBEServicePolicy">

    </policy>

     

    Just check what is the token used in OHSBEServicePolicy.

     

    Hope that helps.

     

    Regards

    Vikram

    Monday, April 9, 2007 2:13 PM
  • Policies should match on both ends.  So if you decide to use Kerberos, then copy the policy defintition that SBEPolicy.config to PSM PSMPolicy.config.  So itr should like following. Also you have to create SPN using setspn.exe for the account that runs PSM and specify it in ProductServiceMappingClientPolicy of SBEPolicy.config .

     

     

    <policy name="ProductServiceMappingClientPolicy">
     <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
                           <protection>
               <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
               <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
               <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
             </protection>
            </kerberosSecurity>
     <requireActionHeader />
    </policy>
    Tuesday, April 24, 2007 1:15 AM