Re: Access denied ( From one site to another, that is in another server)

From: Bassel Tabbara [MSFT] (basselt@online.microsoft.com)
Date: 01/22/03 

From: basselt@online.microsoft.com (Bassel Tabbara [MSFT])
Date: Wed, 22 Jan 2003 15:19:36 GMT

Hello Gabriela,
You don't need to configure anything more for the scenario of basic
authentication. In fact, Basic and windows integrated allows delegation but
you
need to impersonate the user as I described it in my previous post.
For Reading an xml file, you can use the XMLDomDocument with the proper
permission to the file that you are reading it.

Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.

--------------------
| From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
| References: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
<Ld$1RkXwCHA.2600@cpmsftngxa06> <eJq4PJYwCHA.2680@TK2MSFTNGP09>
<YI8cZrYwCHA.1128@cpmsftngxa08> <ev55wOZwCHA.2476@TK2MSFTNGP10>
<MLyorWawCHA.2148@cpmsftngxa08>
| Subject: Re: Access denied ( From one site to another, that is in another
server)
| Date: Wed, 22 Jan 2003 10:47:45 -0300
| Lines: 395
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
| Message-ID: <#xK45yhwCHA.2652@TK2MSFTNGP11>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 200.80.152.106
| Path: cpmsftngxa08!cppssbbsa01.microsoft.com!TK2MSFTNGP08!TK2MSFTNGP11
| Xref: cpmsftngxa08 microsoft.public.dotnet.framework.aspnet.security:3757
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Do I have to configure something more?
|
| Or it is enough configuring the security of the sites? (Site .NET, Basic
| Authentication---->Site ASP, Windows Authentication)
|
| What do I have to use to obtain an XML from an ASP page? XMLDomDocument,
| HTTPRequest, or there is someting different? Remember that the ASP page
| belongs to the site that has Windows Authentication.
|
|
|
|
|
| "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in message
| news:MLyorWawCHA.2148@cpmsftngxa08...
| > Gabriela,
| > Yes you can delegate the token using Basic Authentication. So your
| > scenario should work.
| >
| >
| > Thanks,
| > Bassel Tabbara
| > Microsoft, ASP.NET
| >
| > This posting is provided "AS IS", with no warranties, and confers no
| rights.
| >
| >
| > --------------------
| > | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
| > | References: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
| > <Ld$1RkXwCHA.2600@cpmsftngxa06> <eJq4PJYwCHA.2680@TK2MSFTNGP09>
| > <YI8cZrYwCHA.1128@cpmsftngxa08>
| > | Subject: Re: Access denied ( From one site to another, that is in
| another
| > server)
| > | Date: Tue, 21 Jan 2003 18:26:49 -0300
| > | Lines: 310
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
| > | Message-ID: <ev55wOZwCHA.2476@TK2MSFTNGP10>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | NNTP-Posting-Host: 200.80.152.106
| > | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP10
| > | Xref: cpmsftngxa06
| microsoft.public.dotnet.framework.aspnet.security:3719
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > |
| > | If insted of configure the ASP.NET Application for Windows
| > Authentication, I
| > | configure it for Basic Authentication, can I avoid use Kerberos and
use
| > | something simpler?
| > |
| > | The scenario would like this:
| > |
| > | Site .Net (Basic Authentication) ------> Site asp(Windows
| Authentication)
| > |
| > |
| > | "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in
message
| > | news:YI8cZrYwCHA.1128@cpmsftngxa08...
| > | > Steps to configure an ASP.NET / IIS delegation
| > | > scenario:
| > | >
| > | > - check the "Enable Integrated Windows Authentication (requires
| > restart)"
| > | > option in the Tools - Internet Options - Advanced Tab
| > | >
| > | > This setting enables Internet Explorer to respond to a negotiate
| > challenge
| > | > and perform Kerberos authentication. If not running on Windows 2000
| > | > or higher Internet Explorer does not respond to a negotiate
challenge
| > and
| > | > default to NTLM (or Windows NT Challenge/Response) authentication
even
| > if
| > | > the
| > | > Enable Integrated Windows Authentication (requires restart) check
box
| is
| > | > selected because this feature requires Windows 2000 or higher.
| > | >
| > | > NOTE: Administrators can enable Integrated Windows Authentication by
| > | > setting the
| > | > EnableNegotiate DWORD value to 1 in the following registry key:
| > | > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
| > | > Settings
| > | > There are some issues where Kerberos may fail on the Internet
Explorer
| > | > client. See the following articles in the Microsoft
| > | > Knowledgebase:
| > | >
| > | > - 321728: Internet Explorer Does Not Support Kerberos
| > | > AuthenticationKBLink:321728.kb.en-us:
| > | > - 325608: PRB: Authentication Delegation Through Kerberos Does Not
| > | > WorkKBLink:325608.kb.en-us:
| > | > - 280830: Kerberos Authentication May Not Work If User Is in Many
| > | > GroupsKBLink:280830.kb.en-us:
| > | > - 264921: INFO: How IIS Authenticates Browser
| > | > ClientsKBLink:264921.kb.en-us:
| > | >
| > | > 2. Web Server (IIS 5.0 or higher):
| > | >
| > | > a. ASP.NET Application - Windows Authentication and
| > | > Impersonation:
| > | >
| > | > - configured for Windows Authentication
| > | >
| > | > -IIS Management Console
| > | >
| > | > -turn off Anonymous access, Basic and Digest authentication for the
| > | > application
| > | >
| > | > To configure a web application for Windows authentication open the
| > | Internet
| > | > Information Services tool, expand the
| > | > Default Web Sites node, right-click your web application, goto
| > Properties,
| > | > choose Directory Security, click the Edit
| > | > button for Anonymous access and authentication control and turn off
| > | > Anonymous access, Basic and Digest
| > | > authentication for the application.
| > | >
| > | > NOTE: Internet Explorer will always pick the first authentication
| scheme
| > | if
| > | > given the option of choosing
| > | > from multiple authentication schemes. For example, if Anonymous
| > | > authentication is enabled and listed
| > | > before Windows Authentication, Internet Explorer will try to
| > authenticate
| > | > anonymously. If this fails it picks
| > | > the next authentication method and tries to authenticate with
Windows
| > | > authentication.
| > | >
| > | > - web.config file
| > | >
| > | > -<allow users="*" /> and
| > | > <deny users="?" /> in the <configuration> section
| > | > - <authentication mode="Windows" /> in the <system.web> section
| > | >
| > | > - configured for Impersonation
| > | >
| > | > - <identity impersonate="true" /> in the web.config file
| > | >
| > | > -306158: INFO: Implementing Impersonation in an ASP.NET
| > | > http://support.microsoft.com/?id=306158
| > | > -317012: INFO: Process and Request Identity in
| > | > http://support.microsoft.com/?id=317012
| > | > -315736: HOW TO: Secure an ASP.NET Application by Using
| > | > http://support.microsoft.com/?id=315736
| > | >
| > | > b. Active Directory - Delegation:
| > | >
| > | > Delegation has to be enabled on all machines participated on
Kerberos
| > | > Delegation, it can be configured in the Active Directory tools.
| > | >
| > | > - Active Directory Users and Computers tool
| > | >
| > | > - machine is "trusted for delegation"
| > | >
| > | > To configure a computer as trusted for delegation , open the Active
| > | > Directory Computers tool, expand the Domain Name node,
| > | > expand the Computers node, right-click the computer you want to
| > | configure,
| > | > choose properties from the context menu and check
| > | > the Computer ist Trusted for Delegation option.
| > | >
| > | > - Active Directory Users and Groups tool
| > | >
| > | > - delegating account is "trusted for delegation"
| > | >
| > | > By default, the Aspnet_wp.exe process runs under a computer account
| > named
| > | > ASPNET. To verify that the application account can act
| > | > as a delegate, open the Active Directory Users And Groups tool,
| > | right-click
| > | > the the User object in question, choose Properties from the
| > | > context menu, click the account menu, scroll down until you see
| Account
| > | > Ias Trusted for Delegation in the Account Options box.
| > | > Make sure the option is checked.
| > | >
| > | > NOTE: You do not need to perfom this step if the service is running
as
| > | > LocalSystem because this account automatically supports the
| > | > trusted for delegation capability. Running ASP.NET as LocalSystem
| > | (userName
| > | > = "SYSTEM" in the <processModel> section in the
| > | > machine.config file) is by default "trusted for delegation"
| > | >
| > | > - accounts to be delegated (domain users) are not marked as
"sensitive
| > and
| > | > cannot be delegated"
| > | >
| > | > To verify the user's account can be delegated, open the Active
| > Directory
| > | > Users and Groups tool, right-click the User object in question,
| > | > choose Properties from the context menu, click the Account tab,
scroll
| > | down
| > | > until you see Account Is Sensitive And Cannot Be Delegated
| > | > in the Account Options box. Make sure the option is not checked.
| > | >
| > | > See the following article in the Microsoft Knowledgebase:
| > | >
| > | > 325894: HOW TO: Set Computer/User Accounts to Be
| > | > http://support.microsoft.com/?id=325894
| > | >
| > | > Thanks,
| > | > Bassel Tabbara
| > | > Microsoft, ASP.NET
| > | >
| > | > This posting is provided "AS IS", with no warranties, and confers no
| > | rights.
| > | >
| > | > --------------------
| > | > | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
| > | > | References: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
| > | > <Ld$1RkXwCHA.2600@cpmsftngxa06>
| > | > | Subject: Re: Access denied ( From one site to another, that is in
| > | another
| > | > server)
| > | > | Date: Tue, 21 Jan 2003 16:22:25 -0300
| > | > | Lines: 329
| > | > | MIME-Version: 1.0
| > | > | Content-Type: multipart/alternative;
| > | > | boundary="----=_NextPart_000_005E_01C2C169.4904BF90"
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
| > | > | Message-ID: <eJq4PJYwCHA.2680@TK2MSFTNGP09>
| > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | > | NNTP-Posting-Host: 200.80.152.106
| > | > | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP09
| > | > | Xref: cpmsftngxa06
| > | microsoft.public.dotnet.framework.aspnet.security:3716
| > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > | > |
| > | > | Hello Bassel, first of all I want to tell you tank you very much
for
| > | > responding me soon.
| > | > | The url of the first article that you send me is wrong. I coudnīt
| > access
| > | > to it.
| > | > | I will tell you more about the context of my problem so that you
can
| > | help
| > | > me more
| > | > | My web application need to authenticate every user, therefore I'm
| > using
| > | > Integrated Windows Authentication.
| > | > | The machine.config has
| > | > | <processModel enable="true" timeout="Infinite"
| idleTimeout="Infinite"
| > | > shutdownTimeout="0:00:05" requestLimit="Infinite"
| > requestQueueLimit="5000"
| > | > restartQueueLimit="10" memoryLimit="60" webGarden="false"
| > | > cpuMask="0xffffffff" userName="SYSTEM" password="AutoGenerate"
| > | > logLevel="Errors" clientConnectedCheck="0:00:05"
| > | > comAuthenticationLevel="Connect" comImpersonationLevel="Impersonate"
| > | > responseRestartDeadlockInterval="00:09:00"
| > | > responseDeadlockInterval="00:03:00" maxWorkerThreads="25"
| > | > maxIoThreads="25"/>
| > | > | The web.config has
| > | > | <authentication mode="Windows" />
| > | > | <authorization>
| > | > | <allow users="*" />
| > | > | <deny users="?"/>
| > | > | </authorization>
| > | > | <identity impersonate="true"/>
| > | > | I am tryng to acces to the Project Server site, wich is in another
| > | server
| > | > and has Integrated Windows Authentication. This site has to return a
| > xml.
| > | > | As you tell me I need to delegate security, but I donīt know how.
| > | > | If you can help me to do it I will appreciate it
| > | > | Gaby
| > | > | "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in
| > message
| > | > news:Ld$1RkXwCHA.2600@cpmsftngxa06...
| > | > | > Hello Gabriela,
| > | > | > You are running into a delegation issue here. Delegation is the
| next
| > | > step
| > | > | > up from impersonation. Rather than just being able to access
local
| > | > | > resources on behalf of the client, delegation supports the
| > accessing
| > | > of
| > | > | > remote resources on behalf of the client. When you are trying to
| > | access
| > | > | > from a one server to get to another server, the account
| credentials
| > | > must be
| > | > | > passed along so you can access the document on the second
server.
| > | > | >
| > | > | > When users browse to an ASP.NET Web site, they request that some
| > code
| > | > run
| > | > | > on the server. All processes run within the security context of
a
| > | > specific
| > | > | > account. By default, ASPNET engines runs under aspnet account.
| This
| > | > account
| > | > | > has access to the IIS server computer but is not allowed to
access
| > | > shared
| > | > | > folders on other computers. Therefore, you must configure the
IIS
| > | > computer
| > | > | > so that it uses an account other than the aspnet account.
| > | > | >
| > | > | > After IIS is set to run under another account, you must give
that
| > | > account
| > | > | > permission to all of the files and folders that are needed to
use
| > the
| > | > | > remote Access database.
| > | > | >
| > | > | > The following article describes thoroughly the steps needed to
| allow
| > | > you to
| > | > | > access the remote resource.
| > | > | > 810572 HOW TO: Setup an IIS / ASP.NET Delegation Scenario
| > | > | > http://support.microsoft.com/?id=810572
| > | > | >
| > | > | > 306158 INFO: Implementing Impersonation in an ASP.NET
Application
| > | > | > http://support.microsoft.com/?id=306158
| > | > | > The section entitled as "Impersonate the Authenticating User in
| > Code"
| > | > might
| > | > | > be beneficial to you.
| > | > | >
| > | > | >
| > | > | > Thanks,
| > | > | > Bassel Tabbara
| > | > | > Microsoft, ASP.NET
| > | > | >
| > | > | > This posting is provided "AS IS", with no warranties, and
confers
| no
| > | > rights.
| > | > | >
| > | > | >
| > | > | > --------------------
| > | > | > | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
| > | > | > | Subject: Access denied ( From one site to another, that is in
| > | another
| > | > | > server)
| > | > | > | Date: Tue, 21 Jan 2003 13:24:40 -0300
| > | > | > | Lines: 72
| > | > | > | MIME-Version: 1.0
| > | > | > | Content-Type: multipart/alternative;
| > | > | > | boundary="----=_NextPart_000_002C_01C2C150.7458DB40"
| > | > | > | X-Priority: 3
| > | > | > | X-MSMail-Priority: Normal
| > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
| > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
| > | > | > | Message-ID: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
| > | > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | > | > | NNTP-Posting-Host: 200.80.152.106
| > | > | > | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP11
| > | > | > | Xref: cpmsftngxa06
| > | > microsoft.public.dotnet.framework.aspnet.security:3707
| > | > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > | > | > |
| > | > | > | Both web site have Integrated Windows Authentication.
| > | > | > | If I try to connect from my site to another that is in another
| > | server
| > | > I
| > | > | > get "Access denied".
| > | > | > | If the second site is in the same server, I can conect
| correctly.
| > | > | > | Note: The second site is not in a Dotnet Framework
| > | > | > | The code is as follows:
| > | > | > | sURL = "http://srv01/projectserver/LgnIntAu.asp"
| > | > | > | Dim oXMLDocument As XmlDocument
| > | > | > | oXMLDocument = New XmlDocument()
| > | > | > | oXMLDocument.Load(sURL)
| > | > | > | Please Help me !!!!!
| > | > | > | Thanks
| > | > | > |
| > | > | >
| > | > | > Thanks,
| > | > | > Bassel Tabbara
| > | > | > Microsoft, ASP.NET
| > | > | >
| > | > | > This posting is provided "AS IS", with no warranties, and
confers
| no
| > | > rights.
| > | > | >
| > | > | >
| > | > |
| > | >
| > | >
| > | >
| > | >
| > |
| > |
| > |
| >
|
|
|