How to: Use a KerberosToken in a Web Farm
The following procedure details the additional steps needed to secure SOAP messages using a KerberosToken security token that are sent to a Web farm.
To use a KerberosToken to secure SOAP messages sent to a Web service in a Web farm
Change the account that the Web service is running under to a domain user account.
For Web services created using ASP.NET, the account the ASP.NET worker process runs under is controlled by the <processModel> element in the Machine.config file. Set the userName attribute of the <processModel> element to specify the account ASP.NET runs under. By default, the userName attribute is set to the special Machine account, which maps to the low-privileged ASPNET user account created when the .NET Framework SDK is installed. ASPNET is the default user account.
Note
Internet Information Services (IIS) version 6.0uses application pools to determine the process identity, and the default account a Web service runs under is Network Service..
Add the account that the Web service is running under to the IIS_WPG group.
Register a service principal name on all computers within the Web farm.
The service principal name can be registered using the SetSpn.exe tool. For details about registering service principal names, see SetSpn.exe in the Windows 2000 documentation.
Once the service principal name is registered correctly, a client application can create a new instance of KerberosToken using one of the constructors that take a target principal name. The application can then use that security token to sign or encrypt a SOAP message that is sent to the Web service. The format of the target principal name is as follows:
ServicePrincipalName[@domain-name]Domain-nameis optional.
See Also
Reference
Other Resources
Kerberos Ticket
Brokered Authentication – Kerberos
Kerberos Technical Supplement for Windows