Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Domain Security
Message
From
31/12/2011 04:42:03
Viv Phillips
Hay-On-Wye, United Kingdom
 
 
To
30/12/2011 19:30:31
Bonnie DeWitt
Geneva Systems Group
Ellensburg, Washington, United States
General information
Forum:
ASP.NET
Category:
Windows Communication Foundation (WCF)
Title:
Re: Domain Security
Environment versions
Environment:
C# 4.0
OS:
Windows Server 2008
Miscellaneous
Thread ID:
01531880
Message ID:
01531972
Views:
21
>>Speaking very generally, if you have something that works using IP addresses, and doesn't using NetBIOS machine names, you probably have a configuration problem with DNS.
>>
>>For Server 2003 and earlier, there are DNS best practices articles in the MSKB e.g. http://support.microsoft.com/kb/825036 .
>>
>>I see there is now a DNS Best Practices Analyzer for Server 2008/R2: http://technet.microsoft.com/en-us/library/dd391963(WS.10).aspx . I've never used it, but it might be worth running to see what it suggests in your environment.
>>
>>It's nice to know you can potentially fall back to using IP addresses at client sites, but I'd be inclined to put a little effort into getting it to work with machine names. If DNS is misconfigured it might come back to bite you later, in some fashion that can't be worked around like that. You could also look like a hero to your clients by introducing them to the BPA.
>
>I don't know if we have DNS problems or not. Keep in mind that this is our test environment, which we've configured using a bunch of VMs. Our Domain Controller is being run on a Server 2003 VM, but all our other VMs are Server 2008 R2. I didn't participate in any of the configuration.
>
>We plan to deploy our software on VMs. I'll admit I don't know much about this topic I'm about to describe, but our thinking on this (and it's actually Gary's thinking, not mine ... hopefully he knows more than I) has to do with clustering VMs. Our first customer doesn't have a lot of agencies, so there will be little in the way of messaging traffic and so clustering won't be an issue on our first installation (due in a couple of months), but for larger customers (if we ever get any <g>), they may want to cluster a set of VMs. I understand that the way this works is that there's only 1 IP address but many VMs (which all originate from the same "template"), and then using either hardware or software switching, messages get routed to different VMs. Again, I don't really know what I'm talking about ... I probably got the terminology all wrong. But we're thinking that because of this VM clustering, that IP addresses are better to use than machine names (which I didn't know when I first started testing this stuff with machine names and posted my question here ... I should have been using IPs all along).

Hi,
I see you have a solution that you are happy with (although I'm inclined to agree with Al) so please feel free to let the subject drop but I'm still curious about this. If I understand correctly then the implication is that by specifying the server endpoint address as an IP address rather than a machine name the server was able to authenticate the client. I just can't see how that would have helped - the server itself would be no wiser than it was before....

Again out of curiousity: From the above it appears that you are using clustering primarily for load balancing rather than just for failover purposes. I've always thought of that scenario as more applicable to internet bases apps. If this is an *intranet* app then presumably the WCF service has some pretty hefty lifting to do (or there's one heck of a big intranet) ?

Don't suppose you considered pushing the whole thing out to the cloud to avoid all the problems associated with configuring your own clustering setup :-}

>~~Bonnie
>
>
>>
>>>SOLVED!
>>>
>>>I had read on some web page somewhere that this isn't a problem if you use IPs in your service address instead of machine name. I don't know why that should make a difference, but I changed all my addresses to use an IP and voila! the problem disappeared! This is fine, because we're using fixed IP addresses for our VMs and whenever we eventually install our products, our clients will likewise be using fixed IPs.
>>>
>>>Can anyone poke any holes in this or does this sound like the correct way to go ...
>>>
>>>~~Bonnie
>>>
>>>
>>>
>>>
>>>>AFAIK, yes. I don't think that the client attempts to authenticate the server.
>>>>IAC, I suppose specifying the username of the currently logged in user in the config wouldn't have changed the behaviour anyway
>>>>
>>>>Few thoughts (which may be a red herrings) :
>>>>
>>>>(a) In your OP you said that it worked when logged on to the client machine using a local 'Administrator' account. Were the account names *and* passwords identical on both the client and the server? Only ask because, thinking back to .NET remoting, this scenario would result in the server accepting the authentication without any reference to the domain. If the passwords were the same then it might be worth trying with different passwords. If that fails it will at least explain why the original was working.
>>>>
>>>>(b) Are you sure that the problem is not with the domain/ADS itself rather than specific to WCF ?
>>>>
>>>>(c) You could try using the service trace log to get more insight into the problem.....
>>>>
>>>>(d) One thing I'd probably try:
>>>>Fire up the service then use a VS project on a client machine to see if you can add a service reference there via the wizard.
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform