We had an issue with MOSS 2007 and Kerberos during the implementation of a new application some weeks ago. Our application load several web parts on a MOSS2007 web-part page and each one of these web parts call to a different web service requesting data from an enterprise data storage. The page is a dashboard that display sales information to our executive team.
At the beginning we loaded the web parts in a synchronous way but after see the time taken by the page to load all the web parts (some web services returned a big number of rows) we decided to use asynchronous multithreads using ASP.NET.
But an strange error appeared then, two of the web parts were not loaded correctly the first time a user call to the page. They reported an error, when he refreshes the page one of them was loaded correctly and the other one not, and then if we refreshed the page again both of them were loaded correctly. The error didn’t appear again until any user call the page for 5 minutes, then the error appeared again for the first user to load it.
Event Viewer logs shown a Kerberos impersonation problem, when the error appeared the credential received by the destination server was Network Services one, instead of the User ID, so the impersonation was not working correctly.
After work with Microsoft for several days on the issue and didn’t find any logical explanation, we started to think the problem could be generated by the asynchronous call (I don’t know how to explain why… we were desperate I suppose so…).
Finally, the solution is to change some settings on ASPNet.config file (located in the Microsoft.Net folder) to the following values:
legacyImpresonationPolicy enabled
alwaysFlowImpresonationPolicy enabled
On the following links you can find the description of both entries but as a summary this is the values that they can have and the meaning of each one:
<legacyImpersonationPolicy enabled="true|false"/> http://msdn.microsoft.com/en-us/library/ms229296.aspx
| Value | Description |
| false | WindowsIdentity flows across asynchronous points depending upon the ExecutionContext flow settings for the current thread. |
| true | WindowsIdentity does not flow across asynchronous points, regardless of the ExecutionContext flow settings on the current thread. |
<alwaysFlowImpersonationPolicy enabled="true|false"/> http://msdn.microsoft.com/en-us/library/ms229553.aspx
| Value | Description |
| false | The Windows identity does not flow across asynchronous points, unless the impersonation is performed through managed methods such as Impersonate. |
| true | The Windows identity always flows across asynchronous points, regardless of how impersonation was performed. |
So to impersonate on a multithreading asynchronous scenario we have to apply the following values to these two entries:
<legacyImpresonationPolicy enabled=”false”/>
<alwaysFlowImpresonationPolicy enabled=”true”/>
No hay comentarios:
Publicar un comentario