Re: Constrained Delegation question - Please Help

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 03/26/04 

Date: Fri, 26 Mar 2004 13:42:30 +1100

Hi,

You do not need delegation in this scenario. IIS already has the
username/password for the Anonymous User account (you had to enter it into
the IIS Manager when you selected that user as the anonymous user account).
ASP.Net should be using that account since you put <identity
impersonate="true">

Delegation is required when the end-user authenticates. In this situation,
IIS does not have the user's password (just a token from the Domain
Controller). Delegation allows IIS to then access remote resources using
that token.

Cheers
Ken

"Alex" <nrz26@hotmail.com> wrote in message
news:OHFTawoEEHA.2408@TK2MSFTNGP10.phx.gbl...
: Hi,
:
: I am still confuse after reading MS documentation on how Constrained
: Delegation works and hope that someone enlighten me.
:
: Here's one of my confusion.
:
: Servers:
: IIS
: FileServer
:
: Windows 2003 functional level domain.
: Running a ASP.Net file upload web application that upload files to a
shared
: folder on the FileServer.
: Enabled anonymous for the file upload web app but using a designated
domain
: account for it.
: Enabled impersonation for the web app.
: On the FileServer, shared out a folder and modify access right was given
to
: the designated domain account.
: Enabled contrained delegation on the IIS server to CIFS service of the
: FileServer.
:
: Now if I access the web app, does it means that the designated domain
: account will be used to access the file share on the FileServer?
:
:
: Thanks in advance,
: Alex
:
:

Relevant Pages

  • Re: Constrained Delegation question - Please Help
    ... IIS already has the ... > username/password for the Anonymous User account (you had to enter it into ... > Delegation is required when the end-user authenticates. ... >: folder on the FileServer. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows (Trusted) Authentication and SQL Server
    ... I can still run the application when logged in locally to the IIS machine, ... > The account whose credentials are being delegated must be a domain account ... > be marked in Active Directory as trusted for delegation. ... > Server) does not need to be marked as trusted. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS Setting prevents AD Query from working?
    ... running under a local account which isn't recognized by any other ... So IIS will use computer account to access the ... select "Trust computer for delegation". ... the ASP.net then runs with the domain account to query AD ...
    (microsoft.public.inetserver.iis)
  • Re: Troubleshoot Security Issues
    ... When IIS is ... it automatically registers the NetBIOS/computername of the server ... so I guess the only thing left is delegation... ... :> running under the Localsystem account. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS to File Server
    ... I notice you have not told use the versions (IIS, OS of fileserver) ... of the account you have defined, then it is likely that sufficient grants ... it does not exist on file server. ...
    (microsoft.public.inetserver.iis.security)