Re: Access denied ( From one site to another, that is in another server)

From: Gabriela De Feo (gdefeo@rmya.com.ar)
Date: 01/22/03


From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
Date: Wed, 22 Jan 2003 10:47:45 -0300


Do I have to configure something more?

Or it is enough configuring the security of the sites? (Site .NET, Basic
Authentication---->Site ASP, Windows Authentication)

What do I have to use to obtain an XML from an ASP page? XMLDomDocument,
HTTPRequest, or there is someting different? Remember that the ASP page
belongs to the site that has Windows Authentication.

"Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in message
news:MLyorWawCHA.2148@cpmsftngxa08...
> Gabriela,
> Yes you can delegate the token using Basic Authentication. So your
> scenario should work.
>
>
> Thanks,
> Bassel Tabbara
> Microsoft, ASP.NET
>
> This posting is provided "AS IS", with no warranties, and confers no
rights.
>
>
> --------------------
> | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
> | References: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
> <Ld$1RkXwCHA.2600@cpmsftngxa06> <eJq4PJYwCHA.2680@TK2MSFTNGP09>
> <YI8cZrYwCHA.1128@cpmsftngxa08>
> | Subject: Re: Access denied ( From one site to another, that is in
another
> server)
> | Date: Tue, 21 Jan 2003 18:26:49 -0300
> | Lines: 310
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> | Message-ID: <ev55wOZwCHA.2476@TK2MSFTNGP10>
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: 200.80.152.106
> | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP10
> | Xref: cpmsftngxa06
microsoft.public.dotnet.framework.aspnet.security:3719
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | If insted of configure the ASP.NET Application for Windows
> Authentication, I
> | configure it for Basic Authentication, can I avoid use Kerberos and use
> | something simpler?
> |
> | The scenario would like this:
> |
> | Site .Net (Basic Authentication) ------> Site asp(Windows
Authentication)
> |
> |
> | "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in message
> | news:YI8cZrYwCHA.1128@cpmsftngxa08...
> | > Steps to configure an ASP.NET / IIS delegation
> | > scenario:
> | >
> | > - check the "Enable Integrated Windows Authentication (requires
> restart)"
> | > option in the Tools - Internet Options - Advanced Tab
> | >
> | > This setting enables Internet Explorer to respond to a negotiate
> challenge
> | > and perform Kerberos authentication. If not running on Windows 2000
> | > or higher Internet Explorer does not respond to a negotiate challenge
> and
> | > default to NTLM (or Windows NT Challenge/Response) authentication even
> if
> | > the
> | > Enable Integrated Windows Authentication (requires restart) check box
is
> | > selected because this feature requires Windows 2000 or higher.
> | >
> | > NOTE: Administrators can enable Integrated Windows Authentication by
> | > setting the
> | > EnableNegotiate DWORD value to 1 in the following registry key:
> | > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> | > Settings
> | > There are some issues where Kerberos may fail on the Internet Explorer
> | > client. See the following articles in the Microsoft
> | > Knowledgebase:
> | >
> | > - 321728: Internet Explorer Does Not Support Kerberos
> | > AuthenticationKBLink:321728.kb.en-us:
> | > - 325608: PRB: Authentication Delegation Through Kerberos Does Not
> | > WorkKBLink:325608.kb.en-us:
> | > - 280830: Kerberos Authentication May Not Work If User Is in Many
> | > GroupsKBLink:280830.kb.en-us:
> | > - 264921: INFO: How IIS Authenticates Browser
> | > ClientsKBLink:264921.kb.en-us:
> | >
> | > 2. Web Server (IIS 5.0 or higher):
> | >
> | > a. ASP.NET Application - Windows Authentication and
> | > Impersonation:
> | >
> | > - configured for Windows Authentication
> | >
> | > -IIS Management Console
> | >
> | > -turn off Anonymous access, Basic and Digest authentication for the
> | > application
> | >
> | > To configure a web application for Windows authentication open the
> | Internet
> | > Information Services tool, expand the
> | > Default Web Sites node, right-click your web application, goto
> Properties,
> | > choose Directory Security, click the Edit
> | > button for Anonymous access and authentication control and turn off
> | > Anonymous access, Basic and Digest
> | > authentication for the application.
> | >
> | > NOTE: Internet Explorer will always pick the first authentication
scheme
> | if
> | > given the option of choosing
> | > from multiple authentication schemes. For example, if Anonymous
> | > authentication is enabled and listed
> | > before Windows Authentication, Internet Explorer will try to
> authenticate
> | > anonymously. If this fails it picks
> | > the next authentication method and tries to authenticate with Windows
> | > authentication.
> | >
> | > - web.config file
> | >
> | > -<allow users="*" /> and
> | > <deny users="?" /> in the <configuration> section
> | > - <authentication mode="Windows" /> in the <system.web> section
> | >
> | > - configured for Impersonation
> | >
> | > - <identity impersonate="true" /> in the web.config file
> | >
> | > -306158: INFO: Implementing Impersonation in an ASP.NET
> | > http://support.microsoft.com/?id=306158
> | > -317012: INFO: Process and Request Identity in
> | > http://support.microsoft.com/?id=317012
> | > -315736: HOW TO: Secure an ASP.NET Application by Using
> | > http://support.microsoft.com/?id=315736
> | >
> | > b. Active Directory - Delegation:
> | >
> | > Delegation has to be enabled on all machines participated on Kerberos
> | > Delegation, it can be configured in the Active Directory tools.
> | >
> | > - Active Directory Users and Computers tool
> | >
> | > - machine is "trusted for delegation"
> | >
> | > To configure a computer as trusted for delegation , open the Active
> | > Directory Computers tool, expand the Domain Name node,
> | > expand the Computers node, right-click the computer you want to
> | configure,
> | > choose properties from the context menu and check
> | > the Computer ist Trusted for Delegation option.
> | >
> | > - Active Directory Users and Groups tool
> | >
> | > - delegating account is "trusted for delegation"
> | >
> | > By default, the Aspnet_wp.exe process runs under a computer account
> named
> | > ASPNET. To verify that the application account can act
> | > as a delegate, open the Active Directory Users And Groups tool,
> | right-click
> | > the the User object in question, choose Properties from the
> | > context menu, click the account menu, scroll down until you see
Account
> | > Ias Trusted for Delegation in the Account Options box.
> | > Make sure the option is checked.
> | >
> | > NOTE: You do not need to perfom this step if the service is running as
> | > LocalSystem because this account automatically supports the
> | > trusted for delegation capability. Running ASP.NET as LocalSystem
> | (userName
> | > = "SYSTEM" in the <processModel> section in the
> | > machine.config file) is by default "trusted for delegation"
> | >
> | > - accounts to be delegated (domain users) are not marked as "sensitive
> and
> | > cannot be delegated"
> | >
> | > To verify the user's account can be delegated, open the Active
> Directory
> | > Users and Groups tool, right-click the User object in question,
> | > choose Properties from the context menu, click the Account tab, scroll
> | down
> | > until you see Account Is Sensitive And Cannot Be Delegated
> | > in the Account Options box. Make sure the option is not checked.
> | >
> | > See the following article in the Microsoft Knowledgebase:
> | >
> | > 325894: HOW TO: Set Computer/User Accounts to Be
> | > http://support.microsoft.com/?id=325894
> | >
> | > Thanks,
> | > Bassel Tabbara
> | > Microsoft, ASP.NET
> | >
> | > This posting is provided "AS IS", with no warranties, and confers no
> | rights.
> | >
> | > --------------------
> | > | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
> | > | References: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
> | > <Ld$1RkXwCHA.2600@cpmsftngxa06>
> | > | Subject: Re: Access denied ( From one site to another, that is in
> | another
> | > server)
> | > | Date: Tue, 21 Jan 2003 16:22:25 -0300
> | > | Lines: 329
> | > | MIME-Version: 1.0
> | > | Content-Type: multipart/alternative;
> | > | boundary="----=_NextPart_000_005E_01C2C169.4904BF90"
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> | > | Message-ID: <eJq4PJYwCHA.2680@TK2MSFTNGP09>
> | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | > | NNTP-Posting-Host: 200.80.152.106
> | > | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP09
> | > | Xref: cpmsftngxa06
> | microsoft.public.dotnet.framework.aspnet.security:3716
> | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> | > |
> | > | Hello Bassel, first of all I want to tell you tank you very much for
> | > responding me soon.
> | > | The url of the first article that you send me is wrong. I coudnīt
> access
> | > to it.
> | > | I will tell you more about the context of my problem so that you can
> | help
> | > me more
> | > | My web application need to authenticate every user, therefore I'm
> using
> | > Integrated Windows Authentication.
> | > | The machine.config has
> | > | <processModel enable="true" timeout="Infinite"
idleTimeout="Infinite"
> | > shutdownTimeout="0:00:05" requestLimit="Infinite"
> requestQueueLimit="5000"
> | > restartQueueLimit="10" memoryLimit="60" webGarden="false"
> | > cpuMask="0xffffffff" userName="SYSTEM" password="AutoGenerate"
> | > logLevel="Errors" clientConnectedCheck="0:00:05"
> | > comAuthenticationLevel="Connect" comImpersonationLevel="Impersonate"
> | > responseRestartDeadlockInterval="00:09:00"
> | > responseDeadlockInterval="00:03:00" maxWorkerThreads="25"
> | > maxIoThreads="25"/>
> | > | The web.config has
> | > | <authentication mode="Windows" />
> | > | <authorization>
> | > | <allow users="*" />
> | > | <deny users="?"/>
> | > | </authorization>
> | > | <identity impersonate="true"/>
> | > | I am tryng to acces to the Project Server site, wich is in another
> | server
> | > and has Integrated Windows Authentication. This site has to return a
> xml.
> | > | As you tell me I need to delegate security, but I donīt know how.
> | > | If you can help me to do it I will appreciate it
> | > | Gaby
> | > | "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in
> message
> | > news:Ld$1RkXwCHA.2600@cpmsftngxa06...
> | > | > Hello Gabriela,
> | > | > You are running into a delegation issue here. Delegation is the
next
> | > step
> | > | > up from impersonation. Rather than just being able to access local
> | > | > resources on behalf of the client, delegation supports the
> accessing
> | > of
> | > | > remote resources on behalf of the client. When you are trying to
> | access
> | > | > from a one server to get to another server, the account
credentials
> | > must be
> | > | > passed along so you can access the document on the second server.
> | > | >
> | > | > When users browse to an ASP.NET Web site, they request that some
> code
> | > run
> | > | > on the server. All processes run within the security context of a
> | > specific
> | > | > account. By default, ASPNET engines runs under aspnet account.
This
> | > account
> | > | > has access to the IIS server computer but is not allowed to access
> | > shared
> | > | > folders on other computers. Therefore, you must configure the IIS
> | > computer
> | > | > so that it uses an account other than the aspnet account.
> | > | >
> | > | > After IIS is set to run under another account, you must give that
> | > account
> | > | > permission to all of the files and folders that are needed to use
> the
> | > | > remote Access database.
> | > | >
> | > | > The following article describes thoroughly the steps needed to
allow
> | > you to
> | > | > access the remote resource.
> | > | > 810572 HOW TO: Setup an IIS / ASP.NET Delegation Scenario
> | > | > http://support.microsoft.com/?id=810572
> | > | >
> | > | > 306158 INFO: Implementing Impersonation in an ASP.NET Application
> | > | > http://support.microsoft.com/?id=306158
> | > | > The section entitled as "Impersonate the Authenticating User in
> Code"
> | > might
> | > | > be beneficial to you.
> | > | >
> | > | >
> | > | > Thanks,
> | > | > Bassel Tabbara
> | > | > Microsoft, ASP.NET
> | > | >
> | > | > This posting is provided "AS IS", with no warranties, and confers
no
> | > rights.
> | > | >
> | > | >
> | > | > --------------------
> | > | > | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
> | > | > | Subject: Access denied ( From one site to another, that is in
> | another
> | > | > server)
> | > | > | Date: Tue, 21 Jan 2003 13:24:40 -0300
> | > | > | Lines: 72
> | > | > | MIME-Version: 1.0
> | > | > | Content-Type: multipart/alternative;
> | > | > | boundary="----=_NextPart_000_002C_01C2C150.7458DB40"
> | > | > | X-Priority: 3
> | > | > | X-MSMail-Priority: Normal
> | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> | > | > | Message-ID: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
> | > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | > | > | NNTP-Posting-Host: 200.80.152.106
> | > | > | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP11
> | > | > | Xref: cpmsftngxa06
> | > microsoft.public.dotnet.framework.aspnet.security:3707
> | > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> | > | > |
> | > | > | Both web site have Integrated Windows Authentication.
> | > | > | If I try to connect from my site to another that is in another
> | server
> | > I
> | > | > get "Access denied".
> | > | > | If the second site is in the same server, I can conect
correctly.
> | > | > | Note: The second site is not in a Dotnet Framework
> | > | > | The code is as follows:
> | > | > | sURL = "http://srv01/projectserver/LgnIntAu.asp"
> | > | > | Dim oXMLDocument As XmlDocument
> | > | > | oXMLDocument = New XmlDocument()
> | > | > | oXMLDocument.Load(sURL)
> | > | > | Please Help me !!!!!
> | > | > | Thanks
> | > | > |
> | > | >
> | > | > Thanks,
> | > | > Bassel Tabbara
> | > | > Microsoft, ASP.NET
> | > | >
> | > | > This posting is provided "AS IS", with no warranties, and confers
no
> | > rights.
> | > | >
> | > | >
> | > |
> | >
> | >
> | >
> | >
> |
> |
> |
>



Relevant Pages

  • Re: Access denied ( From one site to another, that is in another server)
    ... and perform Kerberos authentication. ... Web Server: ... Active Directory - Delegation: ... the Aspnet_wp.exe process runs under a computer account named ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: NT based roles using forms authentication
    ... You could create locked down local accounts on the web server and ... still use Windows authentication. ... >them selves and change between users without logging off the account. ... >> Windows manage the authentication and impersonation with a web.config ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Kerberos, Delegation, and Win2.3K
    ... under Basic authentication. ... Like I said, looking at multiple descriptions on how to set up KDC delegation, I've followed all those steps. ... So it appears unlikely that the account on B ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • IE 6 connecting to IIS 6.0 using NTLM and not Kerberos
    ... I have IIS 6.0 with a new website and setup with Intergrated ... Authentication and NTAuthenticationProviders="Negotiate,NTLM". ... Delegation in Active directory and/or setting need to be in place ... Do I need to set the Trusted Delegation on the computer account ...
    (microsoft.public.inetserver.iis.security)
  • Re: The ASP.NET application is not permitted to write to disk!
    ... sure that you are using Windows authentication. ... >> Tom, ... >> own account. ...
    (microsoft.public.dotnet.framework.aspnet.security)