Re: Design for ASP.Net w/ ComponentServices

From: nu-k-ar (nospam@plz.com)
Date: 11/28/02 

From: "nu-k-ar" <nospam@plz.com>
Date: Thu, 28 Nov 2002 09:18:36 +0100

1.)
 yes and no . the kerberos is only in the domain or trusted domain ( cause
the AD inccooporeted the KDC Kerberos Distribution Center - port 88 )
the other way is too proxy the Ticket-Granting-Service to the Outside World
and kerberize u're apps.
which is the indent of ws-security/SAML
threr's a nice paper on that
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/h
tml/securitywhitepaper.asp

i guess somewhere behind that is trustbrige ( but not shure )

//snip
Another obstacle is that Kerberos delegation in a Win2K Web scenario works
only when the user uses Kerberos or Basic authentication to authenticate to
the Web server. If you prefer to use the more secure Digest authentication
protocol to authenticate your users to the Web server, you can't use
delegation. The Digest authentication protocol (which Microsoft Internet
Explorer-IE-5.0 and Microsoft Internet Information Services-IIS-5.0 and
later support) is a challenge-response authentication protocol that (unlike
Basic authentication) transmits the user's credentials in an encrypted
format across the HTTP connection. You also must keep in mind that you can
use Kerberos between a browser and a Web server only if the browser supports
Kerberos and can access the Kerberos KDC. The latter but requirement is
clearly a problem in Internet scenarios: Few companies are willing to expose
their KDC to Internet users. Also, the only Kerberos-enabled Web browser is
IE 5.0 and later.

//snip from secadmin-link

but i'll guess u can use basic and inpersonate the user in asp.net
u should give it a try, im using cerificates

.net server should be a bit better about kerberos but requires a fully .net
server domain
http://www.secadministrator.com/Articles/Index.cfm?ArticleID=26450

2.) u can cloak the user ( com+ server with own Identity ) by default it
will cloak u're client and go to the remote resource with the identity of
the server
i use it a lot like this. ( for data snaps which are not depended on any
user view or external communication with other systems )

i use with impersonation/delegation cause w'e have an sql-server with mandat
based on winnt-roles so i'll have to impersonate, from a web-service client
(outside the domain) which is a truly hack cause ws-security isen't so far
as it should be. and i do not have a fully win .net server domain... but it
runs @least ;)

.::[digital-fallout]::.

"Cenon Del Rosario" <cenonmin@ihug.com.au> wrote in message
news:en4gnAllCHA.1464@tkmsftngp07...
> Some questions:
> 1) Does this imply that the user accessing the ASP.Net system has to be
> using IE and Windows (We are looking for a way to do this regardless of
the
> browser) ?
> 2) If this is the case, does it mean that we will have to impersonate the
> user on the ASP side when accessing the ServicedComponents ?
> 3) If this is still the case, is it then easier to design and use our own
> security system when doing checks at the ServicedComponent level ?
>
> Thanks.
>
> "nu-k-ar" <nospam@plz.com> wrote in message
> news:uewiX$flCHA.1216@tkmsftngp02...
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q325894
> >
> > By default, Microsoft Windows 2000 uses the Kerberos
> > protocol for authentication. The Kerberos protocol supports delegation
and
> > resolves an NTLM authentication limitation from Microsoft Windows NT
4.0.
> > This article explains how to use delegation in Windows 2000 with COM+.
> >
> > http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q283201
> >
> >
> >
> > "Cenon Del Rosario" <cenonmin@ihug.com.au> wrote in message
> > news:ubsytrflCHA.1588@tkmsftngp02...
> > > I was wondering if anyone can suggest a design for using ASP.Net
> together
> > > with ServicedComponents particularly in the area of security between
the
> > > two.
> > >
> > > Thank you.
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Kerberos logon to Terminal Server prevents folder redirection
    ... Pass-through refers to the client browser passing through credentials to the Web Interface server; so you can still use Pass-through without enabling the option "Use Kerberos authentication to connect to servers". ...
    (microsoft.public.windows.server.security)
  • SSH Close to working, but need help!
    ... connecting to host with "public authentication failed for user xxx" ... Protocol 2,1 ... # To disable tunneled clear text passwords, ... # Kerberos TGT Passing only works with the AFS kaserver ...
    (comp.security.ssh)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: iis problems with some xp clients - kerberos issue?
    ... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ...
    (microsoft.public.inetserver.iis.security)
  • Simple Problem; Need Help Debugging
    ... my sshd server freezes up. ... # HostKey for protocol version 1 ... # Kerberos options ...
    (SSH)