Re: Allow Integrated Windows Authentication Token to be delegated?
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 03/25/04
- Next message: Ken Schaefer: "Re: How to solve it ?"
- Previous message: Steven Cheng[MSFT]: "Re: Role Based Security"
- In reply to: Raterus: "Allow Integrated Windows Authentication Token to be delegated?"
- Next in thread: Raterus: "Re: Allow Integrated Windows Authentication Token to be delegated?"
- Reply: Raterus: "Re: Allow Integrated Windows Authentication Token to be delegated?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Mar 2004 12:34:08 +1100
Integrated Windows Authentication actually involves two different types of
authentication. Kerberos, and NTLM v2. Kerberos is supported, natively, by
Windows 2000 and Windows XP client machines. Delegation is possible using
Kerberos.
If you are also running a Windows 2003 Domain, then with constrained
delegation you can also configure Protocol Transition, which allows
non-Kerberos authentication to the webserver, and then the webserver will
get a Kerberos tokent to access the remote file server.
Some links that may be helpful:
Here are a few articles to get you started:
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
HOW TO: Configure an ASP.NET Application for a Delegation Scenario
http://support.microsoft.com/?id=294382
Authentication May Fail with "401.3" Error If Web Site's "Host Header"
Differs from Server's NetBIOS Name
http://support.microsoft.com/default.aspx?kbid=325894
HOW TO: Configure Computer Accounts and User Accounts So That They Are
Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
includes Windows 2000 instructions)
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/se_con_del_computer.asp
Configuring Users and Computers for delegation (there's a couple of pages -
use the links in the nav bar to get to them)
Windows 2003 Protocol Transition
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx
Cheers
Ken
"Raterus" <raterus@localhost> wrote in message
news:eEdC35eEEHA.3412@TK2MSFTNGP10.phx.gbl...
: I'm writing an asp.net intranet application that allows the current user
to
: manage their user folder on a shared network drive on the same domain as
the
: webserver. These user folders have permissions set up for the current
user.
:
: From what I understand about IIS/Integrated Windows Authentication, it
: doesn't support delegation, that is passing an authentication token to a
: server beyond the webserver (like this network share). Any access beyond
: that "one-hop" would be executed under the configured identity of asp.net.
:
: Is there a way, from code perhaps, to beef up the token IIS receives from
: the browser (that has been authenticated by Integrated Windows), so it can
: overcome the one-hop rule, and access a network share that has permissions
: set for the current user? I know this problem is easily solved with using
: basic authentication, but I don't want the user to have to re-enter their
: username/password in the webpage.
:
: I just want it so authenticated user "joe" can access this shared network
: folder because there are permissions set for "joe", not because I've done
: some crazy process to change the identity asp.net runs under. It seems
: silly that there wouldn't be a way to do this!
:
: Please help!
: --Michael
:
:
- Next message: Ken Schaefer: "Re: How to solve it ?"
- Previous message: Steven Cheng[MSFT]: "Re: Role Based Security"
- In reply to: Raterus: "Allow Integrated Windows Authentication Token to be delegated?"
- Next in thread: Raterus: "Re: Allow Integrated Windows Authentication Token to be delegated?"
- Reply: Raterus: "Re: Allow Integrated Windows Authentication Token to be delegated?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
