Friday, October 22, 2010

Microsoft wse kerberos an invalid security token was provided

there is one WSE secured service  which is authenticated using the Kerberos token.   someday, I get this error. “an invalid security token was provided”

the error is very general , that means the TGT ticket is somehow invalid. Could be caused by time inconsistency, host mismatch, tons of reasons.

So how to get more inside error. like the com return come?
run Cordbg, and attach to the w3wp process. turn on unhandled exception.

ca e
a xxxxx
print $exception


Print the Inner Exception Exception

p $exception._innerException


Here we get the detailed error.

The incoming Kerberos service ticket could not be validated. The LsaLogonUser call failed with the following message: The trust relationship between this workstation and the primary domain failed.
form the wse manual, you can check the reason is that  when the Kerberos target host name does not match the host name of the Web service that receives the SOAP message. Change the target host name to match the host name of the Web service.

you may try rejoin the server to domain. for me, that’s because the client send two tgt token.

wse 2 sp1 think that’s fine that one soap with two tgt token. for sp3, it will denied the request and throw the above error.

No comments:

Locations of visitors to this page