Re: Troubleshoot Security Issues
From: Raterus (raterus_at_localhost)
Date: 03/26/04
- Next message: Alex: "Re: Constrained Delegation question - Please Help"
- Previous message: Javier Miranda: "Re: Error when referring to a reference in ASP.NET - Due to permissions"
- In reply to: Ken Schaefer: "Re: Troubleshoot Security Issues"
- Next in thread: Raterus: "Re: Troubleshoot Security Issues"
- Reply: Raterus: "Re: Troubleshoot Security Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Mar 2004 09:22:15 -0500
Ok, so here it goes,
I just spit out the server variables, Auth_Type did = Negotiate, so I guess
I did that properly. And I've managed to also figure out that asp.net is
impersonating correctly, so I guess the only thing left is delegation...
Here is what I've done to get delegation working, I followed your advice and
tried to implement everything I saw in this article.
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
I'm going to go through these steps as I do this again, just to make sure
I've really done them.
1) My browser is authenticating with Kerberos, figured that out from looking
at the servervariables
2) Checked the box in IE "Enable Integrated Windows Authentication", and I
restarted my computer, even though it didn't specically warn me to do such.
3) In IIS I have verified that the directory I'm accessing has Integrated
Windows Authentication checked, and it is the only thing checked.
4) ASP.net web.config, looks exactly like that example on the website,
except that <allow users="*" /> is embedded in the <authorization> tag.
That's how I found it, I assume it is supposed to be only there. I've also
tried to impersonate using code, and by setting <identity
impersonate="true">. I've tried both ways and verified that they both work.
note: (My webserver is NOT a domain controller, it's OS is windows server
2003, all domain controllers are hosted off of windows 2000 servers)
5) I've found my webserver's computer under active directory
users/computers, and checked a box under it's general properties "Trust
computer for delegation"
6) I've also verified on my webserver that IIS service inetinfo.exe is
running under the Localsystem account. The checkbox "Allow service to
interact with desktop" is not checked though.
7) I'm not sure if I really need to do this (I hope not), but I've found my
user account, and under the Account tab I've checked "Account is trusted for
delegation". I hope I don't have to do this, because that would require
checking that for each user on our network when this application rolls out!
Here is my code that is bombing, not that it only bombs on the webserver, if
I run this code locally, on my own IIS server it works great.
Dim FolderInfo As New ArrayList
Try
Dim dirInfo As New DirectoryInfo(scanUserDirectoriesPath &
CStr(Session("username")) & "\")
Dim infoFiles() As FileInfo = dirInfo.GetFiles
Dim infoFile As FileInfo
For Each infoFile In infoFiles
FolderInfo.Add(New NewScans(infoFile.Name,
infoFile.CreationTime.ToString, infoFile.FullName))
Next
If FolderInfo.Count = 0 Then
dgScans.Visible = False
hTitle.InnerText = "No " & hTitle.InnerText
Else
dgScans.DataSource = FolderInfo
dgScans.DataBind()
End If
Catch ex As Exception
lblError.Text = ex.ToString & Chr(13) & "HttpContext: " &
HttpContext.Current.User.Identity.Name & Chr(13) & "WindowsIdentity: " &
System.Security.Principal.WindowsIdentity.GetCurrent.Name & Chr(13) &
"Thread: " & System.Threading.Thread.CurrentPrincipal.Identity.Name
End Try
Any help would be great!
--Michael
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%2389cAxtEEHA.3096@TK2MSFTNGP11.phx.gbl...
> a) You can put a trace on the network -or- you can dump out all the values
> in the Request.ServerVariables() collection. If you see something like
> Auth_Type: Negotiate, then Kerberos was used. If you see something like
> Auth_Type: NTLM then NTLM was used.
>
> b) Is ASP.Net impersonating correctly? If you have <identity
> impersonate="true"> and set authentication to Windows then it should
> impersonate.
>
> c) Is delegation working correctly? I don't know. Why don't you tell us
what
> you've done, and what's happening?
>
> Cheers
> Ken
>
> "Raterus" <raterus@localhost> wrote in message
> news:e$f2whqEEHA.3576@tk2msftngp13.phx.gbl...
> : What is the easiest way to troubleshoot security issues?
> :
> : I'm trying to set up a delegation secnario, which I wrote an question
> about
> : yesterday. Something isn't working in it, but I feel kind of helpless
to
> : even know if what I think I set up is actually what is happening in the
> : background. For instance, i'm trying to get my asp.net application to
> : delegate to another computer to be able to access files on a network
> share.
> : How do I really know my browser is authenticating with Kerberos?, Is
> asp.net
> : impersonating correctly, when it accesses this network share, is
> delegation
> : working correctly?. Lots of issues like this, what is the best way to
> look
> : at this information?
> :
> :
>
>
- Next message: Alex: "Re: Constrained Delegation question - Please Help"
- Previous message: Javier Miranda: "Re: Error when referring to a reference in ASP.NET - Due to permissions"
- In reply to: Ken Schaefer: "Re: Troubleshoot Security Issues"
- Next in thread: Raterus: "Re: Troubleshoot Security Issues"
- Reply: Raterus: "Re: Troubleshoot Security Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
