none
IIS 7 - .Net 4 - Accessing WebService across domains not working RRS feed

  • Question

  • Hi

    First of all, I'm not a developper but an IT admin...

    Sorry if the post is not in the right forum.

    I'm facing a strange problem...

    I've an .Net 4 application hosted on IIS7 (Win 2008 SP2, Server A) in domain A who's access a web service on another IIS7 (Win 2008 Sp2, Server B) in domain B.

    Everything worked fine for a long time, the application can access the webservice anonymously using networkservice identity.

    Suddenly, a month ago, everything stopped working, the webservice cannot be accessed by application on server A (domain A).

    Application on server A is running under NetworkService identity. If I change it to LocalSystem : it WORKS !

    The "only" thing that's changed in my domain A, is an upgrade of the forest/domain functional level from 2000 to 2003 and replacing Windows 2003 Domain controller by Windows 2012 domain controller.

    Developpers are sure they do not change anything in the application or webservice.

    Accessing the webservice from the server A hosting the application using IE : http://serverB/websvc.svc?wsdl works fine!

    When trying to acces the web service on server B in domain B I can see the events below.

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          05.06.2013 16:44:56
    Event ID:      4776
    Task Category: Credential Validation
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      serverB.domainB
    Description:
    The domain controller attempted to validate the credentials for an account.

    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon Account: SERVER_A$
    Source Workstation: SERVER_A
    Error Code: 0xc0000064


    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          05.06.2013 16:44:56
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      serverB.domainB
    Description:
    An account failed to log on.

    Subject:
     Security ID:  NULL SID
     Account Name:  -
     Account Domain:  -
     Logon ID:  0x0

    Logon Type:   3

    Account For Which Logon Failed:
     Security ID:  NULL SID
     Account Name:  SERVER_A$
     Account Domain:  DOMAIN_A

    Failure Information:
     Failure Reason:  Unknown user name or bad password.
     Status:   0xc000006d
     Sub Status:  0xc0000064

    I need help, this problem is making me crazy !

    Thanks in advance
    Sébastien


    • Edited by SebCH Wednesday, June 5, 2013 3:18 PM
    Wednesday, June 5, 2013 3:17 PM

Answers

  • Finally Dev's found the solution.

    Accessing anonymously Webservices across domains needs the following security configuration

    <security mode="None">

      <message establishSecurityContext="false"/>

      <transport clientCredentialType="None"/>

    </security>

    • Marked as answer by SebCH Tuesday, June 18, 2013 1:43 PM
    Tuesday, June 18, 2013 1:43 PM

All replies

  • There was a security update from Microsoft that caused some credential issues.  We had to back out this upgrade.  Not sure which one it was.

    jdweng

    Wednesday, June 5, 2013 5:17 PM
  • Hello, The server in domain A has no patch except Sp2. I know, i know... But it's an idea, maybe i have to install somes patchs. Sebastien
    Wednesday, June 5, 2013 6:06 PM
  • I checked with the people who worked on my companies problem.  Originally they thought it was a microsoft patch.  They finally found that when the upgrade one of our application the installer didn't set a priveledge properly.  The uninstaler removed some files and then the installer added back newer versions of the deleted files and didn't restore the priveledges during the installation.  The fix was to manually change a priveledge level after the upgrade was done.

    jdweng

    • Proposed as answer by Nico_He Wednesday, June 12, 2013 3:58 AM
    Wednesday, June 5, 2013 9:19 PM
  • OK,

    I'll try to install Windows updates, Maybe one of them will correct my problem.

    Keep you informed.

    Sebastien

    Friday, June 7, 2013 1:57 PM
  • Hi,

    I'm back with news.

    So installing all the latest updates (critical and security) did not solve my problem :-(

    I'm realy disapointed and don't know where to look now.

    Anybody has an idea ?

    Sébastien

    Wednesday, June 12, 2013 12:00 PM
  • Finally Dev's found the solution.

    Accessing anonymously Webservices across domains needs the following security configuration

    <security mode="None">

      <message establishSecurityContext="false"/>

      <transport clientCredentialType="None"/>

    </security>

    • Marked as answer by SebCH Tuesday, June 18, 2013 1:43 PM
    Tuesday, June 18, 2013 1:43 PM