Re: Constrained Delegation question - Please Help

From: Alex (nrz26_at_hotmail.com)
Date: 03/26/04

• Next message: Juan Carlos Heredia Mayer: "w3wp.exe Account"
• Previous message: Raterus: "Re: Troubleshoot Security Issues"
• In reply to: Ken Schaefer: "Re: Constrained Delegation question - Please Help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 26 Mar 2004 22:44:37 +0800

Thanks Ken.

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OWtf0vtEEHA.3040@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> You do not need delegation in this scenario. IIS already has the
> username/password for the Anonymous User account (you had to enter it into
> the IIS Manager when you selected that user as the anonymous user
account).
> ASP.Net should be using that account since you put <identity
> impersonate="true">
>
> Delegation is required when the end-user authenticates. In this situation,
> IIS does not have the user's password (just a token from the Domain
> Controller). Delegation allows IIS to then access remote resources using
> that token.
>
> Cheers
> Ken
>
>
> "Alex" <nrz26@hotmail.com> wrote in message
> news:OHFTawoEEHA.2408@TK2MSFTNGP10.phx.gbl...
> : Hi,
> :
> : I am still confuse after reading MS documentation on how Constrained
> : Delegation works and hope that someone enlighten me.
> :
> : Here's one of my confusion.
> :
> : Servers:
> : IIS
> : FileServer
> :
> : Windows 2003 functional level domain.
> : Running a ASP.Net file upload web application that upload files to a
> shared
> : folder on the FileServer.
> : Enabled anonymous for the file upload web app but using a designated
> domain
> : account for it.
> : Enabled impersonation for the web app.
> : On the FileServer, shared out a folder and modify access right was given
> to
> : the designated domain account.
> : Enabled contrained delegation on the IIS server to CIFS service of the
> : FileServer.
> :
> : Now if I access the web app, does it means that the designated domain
> : account will be used to access the file share on the FileServer?
> :
> :
> : Thanks in advance,
> : Alex
> :
> :
>
>

---

• Next message: Juan Carlos Heredia Mayer: "w3wp.exe Account"
• Previous message: Raterus: "Re: Troubleshoot Security Issues"
• In reply to: Ken Schaefer: "Re: Constrained Delegation question - Please Help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Constrained Delegation question - Please Help ... the IIS Manager when you selected that user as the anonymous user account). ... Delegation is required when the end-user authenticates. ... : folder on the FileServer. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Windows (Trusted) Authentication and SQL Server ... I can still run the application when logged in locally to the IIS machine, ... > The account whose credentials are being delegated must be a domain account ... > be marked in Active Directory as trusted for delegation. ... > Server) does not need to be marked as trusted. ... (microsoft.public.dotnet.framework.aspnet.security) Re: IIS Setting prevents AD Query from working? ... running under a local account which isn't recognized by any other ... So IIS will use computer account to access the ... select "Trust computer for delegation". ... the ASP.net then runs with the domain account to query AD ... (microsoft.public.inetserver.iis) Re: Troubleshoot Security Issues ... When IIS is ... it automatically registers the NetBIOS/computername of the server ... so I guess the only thing left is delegation... ... :> running under the Localsystem account. ... (microsoft.public.dotnet.framework.aspnet.security) Re: IIS to File Server ... I notice you have not told use the versions (IIS, OS of fileserver) ... of the account you have defined, then it is likely that sufficient grants ... it does not exist on file server. ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)