Wednesday, April 24, 2013

FileNet CE Service Client for Kerberos

Implementing Kerberos for FileNet CE service is complicated that what I thought. That's the reason I put together a set of rules for creating client to access CE Web Service. Scope of the blog is create .Net web app to access CE Web Service. It does not talk about server side Kerberos configuration

Application Pool setup:
·         Managed Pipeline Mode: Integrated
·         Identity: NetworkService

 Enable Windows Authentication on IIS App:
·         In IIS, double click on Authentication icon.
·         Enable Windows Authentication. Disable all other type of authentications.

Add below entries in web.config
·         authentication mode=”Windows”
·         identity impersonate=”true”

The server on which the ASP.NET app runs must have delegation enabled.
·         When using "Active Directory Users and Computers" tool, the steps are as follows:
o   Locate the server in the domain tree (or use Find) and open its Properties window.
o   Open Delegation tab
o   Enable "Trust this computer for delegation to any service (Kerberos only)" option, or be more specific and select "Trust this computer for delegation to specified services only > User Kerberos only" and then add some targets.
Note: The above operation must be performed by a domain admin.


IE browser settings:
·         Enable Windows Authentication:
o   Tools à Internet Options à Advanced
o   Under Security Section, check Enable Integrated Windows Authentication.

·         Add CE Server in trusted Sites:
o   Tools à Internet Options à Security à Local Intranet
o   Click on Sites. In popup window, click on Advanced button. Add CE Server name.  http:// CE Server Name

Code to Add Kerberos Token:
Along with every request, send Kerberos ticket. Below is the sample code for the same.
                SoapContext soapContext = Binding.RequestSoapContext;
                //Delete tokens if already exist
                if(soapContext.Security.Tokens.Count > 0){
                String spnName = "<>";
                SecurityToken token = new KerberosToken(spnName);


  1. Hi,
    I am implementing same but getting error "WSE594: InitializeSecurityContext call failed with the following error message: A specified logon session does not exist. It may already have been terminated". Any idea?

  2. Hi Eswar. We configured Kerberos for CPE and it is working fine. Do we need to enable Kerberos for IIS account as well?