Re: Allow Integrated Windows Authentication Token to be delegated?
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: Thu, 25 Mar 2004 12:34:08 +1100
Integrated Windows Authentication actually involves two different types of
authentication. Kerberos, and NTLM v2. Kerberos is supported, natively, by
Windows 2000 and Windows XP client machines. Delegation is possible using
If you are also running a Windows 2003 Domain, then with constrained
delegation you can also configure Protocol Transition, which allows
non-Kerberos authentication to the webserver, and then the webserver will
get a Kerberos tokent to access the remote file server.
Some links that may be helpful:
Here are a few articles to get you started:
HOW TO: Configure an ASP.NET Application for a Delegation Scenario
Authentication May Fail with "401.3" Error If Web Site's "Host Header"
Differs from Server's NetBIOS Name
HOW TO: Configure Computer Accounts and User Accounts So That They Are
Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
includes Windows 2000 instructions)
Configuring Users and Computers for delegation (there's a couple of pages -
use the links in the nav bar to get to them)
Windows 2003 Protocol Transition
"Raterus" <raterus@localhost> wrote in message
: I'm writing an asp.net intranet application that allows the current user
: manage their user folder on a shared network drive on the same domain as
: webserver. These user folders have permissions set up for the current
: From what I understand about IIS/Integrated Windows Authentication, it
: doesn't support delegation, that is passing an authentication token to a
: server beyond the webserver (like this network share). Any access beyond
: that "one-hop" would be executed under the configured identity of asp.net.
: Is there a way, from code perhaps, to beef up the token IIS receives from
: the browser (that has been authenticated by Integrated Windows), so it can
: overcome the one-hop rule, and access a network share that has permissions
: set for the current user? I know this problem is easily solved with using
: basic authentication, but I don't want the user to have to re-enter their
: username/password in the webpage.
: I just want it so authenticated user "joe" can access this shared network
: folder because there are permissions set for "joe", not because I've done
: some crazy process to change the identity asp.net runs under. It seems
: silly that there wouldn't be a way to do this!
: Please help!