Help needed with KERBROS and Native XML Web Services

Hi Al

Have you tried AUTHENTICATION=KERBEROS? It sounds like you have run
SetSPN.exe (http://msdn2.microsoft.com/en-us/library/ms178119.aspx)

John

"Al" wrote:

> Trying to get Native XML Web Services setup in our test enviroment, and I've
> hit a problem.
> When the HTTP EndPoint is set to use Integrated Authentication, I can browse
> to the endpoint (using IE7 from a seperate PC) and get the WSDL back, but
> when I switch the EndPoint to use KERBEROS authentication, I get nothing
> returned, and only see a blank page.
>
> All machines are in the same Active Directory domain. Using SQL Server 2005
> SP2 on Win2003 Std SP1 on the server, and XP SP2 and IE7 on the PC.
> The SQL Server is running under a local domain account, and this account has
> been registered for both the MSSQLSvc and HTTP services, as below (the names
> have been changed to protect the guilty).
>
> MSSQLSvc/Server1.test.local:1433
> MSSQLSvc/Server1:1433
> HTTP/Server1.test.local
> HTTP/Server1
>
> The EndPoint name has been reserved using sp_reserve_http_namespace, and is
> owned by SA. I'll be changing the auditting to log all authentication event.
>
> So, anyone has any ideas or guidance????
>
> Thanks in advance,
>
> Al

When I do the
ALTER ENDPOINT AS HTTP (AUTHENTICATION=(KERBEROS)),
I don't get the WSDL. But I have discovered that the endpoint still accepts
and processes calls to the web services on the EndPoint.

When I do
ALTER ENDPOINT AS HTTP (AUTHENTICATION=(INTEGRATED)), I do get
the WSDL.

Could it be that using KERBEROS authentication disables the WSDL discovery?

"John Bell" wrote:

> Hi Al
>
> Have you tried AUTHENTICATION=KERBEROS? It sounds like you have run
> SetSPN.exe (http://msdn2.microsoft.com/en-us/library/ms178119.aspx)
>
> John
>

Hi

I am not sure if this is the case and can't find any documentation to say
so. Have you tried AUTHENTICATION=KERBEROS,NTLM and AUTHENTICATION=NTLM,
KERBEROS to see if there are any differences?

John

"Al" wrote:

> When I do the
> ALTER ENDPOINT AS HTTP (AUTHENTICATION=(KERBEROS)),
> I don't get the WSDL. But I have discovered that the endpoint still accepts
> and processes calls to the web services on the EndPoint.
>
> When I do
> ALTER ENDPOINT AS HTTP (AUTHENTICATION=(INTEGRATED)), I do get
> the WSDL.
>
> Could it be that using KERBEROS authentication disables the WSDL discovery?
>
> "John Bell" wrote:
>
> > Hi Al
> >
> > Have you tried AUTHENTICATION=KERBEROS? It sounds like you have run
> > SetSPN.exe (http://msdn2.microsoft.com/en-us/library/ms178119.aspx)
> >
> > John
> >

Hi John,

I changed the WS to return some details from sys.dm_exec_connections as
well, so I could see a little more of what was going on when calling the WS.

When I have specified NTLM as an Authentication method (position doesn't
appear to make a difference), then I can get a WSDL back (with IE7).
If I have both NTLM and KERBEROS, or INTEGRATED by itself, then the
connection is made as NEGOTIATE.
NTLM by itself gets the WSDL back, and is made as NTLM
KERBEROS by itself doesn't return a WSDL and is made as KERBEROS.

But what I have now seen (because I did a refresh instead of using a new IE
tab), if IE7 has displayed the WSDL, and then I switch the EndPoint to
KERBEROS only, then it displays the following instead of the blank page I've
usually had.

The XML page cannot be displayed
Cannot view XML input using style sheet. Please correct the error and then
click the Refresh button, or try again later.
--------------------------------------------------------------------------------
Access is denied. Error processing resource 'http://apollo/SQLTestEP?wsdl'.

I've checked, and IE7 thinks the web site is in the "Local Intranet", so I'm
assuming that the Windows credentials are passed straight through. And it
seems odd that I can call the WS from C#, but get an "Access is denied" from
IE7.

"John Bell" wrote:

> Hi
>
> I am not sure if this is the case and can't find any documentation to say
> so. Have you tried AUTHENTICATION=KERBEROS,NTLM and AUTHENTICATION=NTLM,
> KERBEROS to see if there are any differences?
>
> John
>
> "Al" wrote:
>
> > When I do the
> > ALTER ENDPOINT AS HTTP (AUTHENTICATION=(KERBEROS)),
> > I don't get the WSDL. But I have discovered that the endpoint still accepts
> > and processes calls to the web services on the EndPoint.
> >
> > When I do
> > ALTER ENDPOINT AS HTTP (AUTHENTICATION=(INTEGRATED)), I do get
> > the WSDL.
> >
> > Could it be that using KERBEROS authentication disables the WSDL discovery?
> >
> > "John Bell" wrote:
> >
> > > Hi Al
> > >
> > > Have you tried AUTHENTICATION=KERBEROS? It sounds like you have run
> > > SetSPN.exe (http://msdn2.microsoft.com/en-us/library/ms178119.aspx)
> > >
> > > John
> > >

Hi

Does this mean you are using custom WDSL, does default change the behavior?

John

"Al" wrote:

> Hi John,
>
> I changed the WS to return some details from sys.dm_exec_connections as
> well, so I could see a little more of what was going on when calling the WS.
>
> When I have specified NTLM as an Authentication method (position doesn't
> appear to make a difference), then I can get a WSDL back (with IE7).
> If I have both NTLM and KERBEROS, or INTEGRATED by itself, then the
> connection is made as NEGOTIATE.
> NTLM by itself gets the WSDL back, and is made as NTLM
> KERBEROS by itself doesn't return a WSDL and is made as KERBEROS.
>
> But what I have now seen (because I did a refresh instead of using a new IE
> tab), if IE7 has displayed the WSDL, and then I switch the EndPoint to
> KERBEROS only, then it displays the following instead of the blank page I've
> usually had.
>
> The XML page cannot be displayed
> Cannot view XML input using style sheet. Please correct the error and then
> click the Refresh button, or try again later.
> --------------------------------------------------------------------------------
> Access is denied. Error processing resource 'http://apollo/SQLTestEP?wsdl'.
>
> I've checked, and IE7 thinks the web site is in the "Local Intranet", so I'm
> assuming that the Windows credentials are passed straight through. And it
> seems odd that I can call the WS from C#, but get an "Access is denied" from
> IE7.
>
> "John Bell" wrote:
>
> > Hi
> >
> > I am not sure if this is the case and can't find any documentation to say
> > so. Have you tried AUTHENTICATION=KERBEROS,NTLM and AUTHENTICATION=NTLM,
> > KERBEROS to see if there are any differences?
> >
> > John
> >
> > "Al" wrote:
> >
> > > When I do the
> > > ALTER ENDPOINT AS HTTP (AUTHENTICATION=(KERBEROS)),
> > > I don't get the WSDL. But I have discovered that the endpoint still accepts
> > > and processes calls to the web services on the EndPoint.
> > >
> > > When I do
> > > ALTER ENDPOINT AS HTTP (AUTHENTICATION=(INTEGRATED)), I do get
> > > the WSDL.
> > >
> > > Could it be that using KERBEROS authentication disables the WSDL discovery?
> > >
> > > "John Bell" wrote:
> > >
> > > > Hi Al
> > > >
> > > > Have you tried AUTHENTICATION=KERBEROS? It sounds like you have run
> > > > SetSPN.exe (http://msdn2.microsoft.com/en-us/library/ms178119.aspx)
> > > >
> > > > John
> > > >

Hi

The HTTP EndPoint has been created with WSDL = STANDARD (i.e.
WSDL=N'[master].[sys].[sp_http_generate_wsdl_defaultcomplexorsimple]').

"John Bell" wrote:

> Hi
>
> Does this mean you are using custom WDSL, does default change the behavior?
>
> John
>
> "Al" wrote:
>
> > Hi John,
> >
> > I changed the WS to return some details from sys.dm_exec_connections as
> > well, so I could see a little more of what was going on when calling the WS.
> >
> > When I have specified NTLM as an Authentication method (position doesn't
> > appear to make a difference), then I can get a WSDL back (with IE7).
> > If I have both NTLM and KERBEROS, or INTEGRATED by itself, then the
> > connection is made as NEGOTIATE.
> > NTLM by itself gets the WSDL back, and is made as NTLM
> > KERBEROS by itself doesn't return a WSDL and is made as KERBEROS.
> >
> > But what I have now seen (because I did a refresh instead of using a new IE
> > tab), if IE7 has displayed the WSDL, and then I switch the EndPoint to
> > KERBEROS only, then it displays the following instead of the blank page I've
> > usually had.
> >
> > The XML page cannot be displayed
> > Cannot view XML input using style sheet. Please correct the error and then
> > click the Refresh button, or try again later.
> > --------------------------------------------------------------------------------
> > Access is denied. Error processing resource 'http://apollo/SQLTestEP?wsdl'.
> >
> > I've checked, and IE7 thinks the web site is in the "Local Intranet", so I'm
> > assuming that the Windows credentials are passed straight through. And it
> > seems odd that I can call the WS from C#, but get an "Access is denied" from
> > IE7.
> >
> > "John Bell" wrote:
> >
> > > Hi
> > >
> > > I am not sure if this is the case and can't find any documentation to say
> > > so. Have you tried AUTHENTICATION=KERBEROS,NTLM and AUTHENTICATION=NTLM,
> > > KERBEROS to see if there are any differences?
> > >
> > > John
> > >
> > > "Al" wrote:
> > >
> > > > When I do the
> > > > ALTER ENDPOINT AS HTTP (AUTHENTICATION=(KERBEROS)),
> > > > I don't get the WSDL. But I have discovered that the endpoint still accepts
> > > > and processes calls to the web services on the EndPoint.
> > > >
> > > > When I do
> > > > ALTER ENDPOINT AS HTTP (AUTHENTICATION=(INTEGRATED)), I do get
> > > > the WSDL.
> > > >
> > > > Could it be that using KERBEROS authentication disables the WSDL discovery?
> > > >
> > > > "John Bell" wrote:
> > > >
> > > > > Hi Al
> > > > >
> > > > > Have you tried AUTHENTICATION=KERBEROS? It sounds like you have run
> > > > > SetSPN.exe (http://msdn2.microsoft.com/en-us/library/ms178119.aspx)
> > > > >
> > > > > John
> > > > >