Re: tricky multi-tier delegation

From: Ken Schaefer (kenREMOVE_at_THISadopenstatic.com)
Date: 11/16/04


Date: Tue, 16 Nov 2004 23:53:08 +1100

I don't think this is possible.

Kerberos authentication requires that the client get a ticket to access the
service (the service being IIS). If IIS is using Kerberos authentication, it
won't accept the ticket unless it can validate it.

Delegation is then a subsequent step. Here the webserver (IIS) has been
granted permissions to "act as a the user" - i.e. get a service ticket on
the user's behalf to access the backend server. To get this ticket, IIS
needs to communicate with the KDC - but you say this isn't possible.

What I suppose you can do is have the user supply their credentials using a
non-HTTP based authentication mechanism (eg a HTML form). Your ASP.NET app
can pass that to the backend server, which in turn can verify the
credentials against Active Directory. However, if the backend server is
expecting a kerberos ticket, then this will be difficult, because the IIS
box needs to communicate with the KDC to get a ticket on the user's behalf.

Cheers
Ken

"Pete" <peter.gehrman@unisys.com> wrote in message
news:bfca4620.0411111023.5da35c4e@posting.google.com...
> Is it possible to implement a 2-tier ASP.NET app with delegation to
> the back-end without authenticating the user at the middle-tier?
>
> I have IIS running a presentation application that needs to delegate
> Kerberos authentication to a proprietary back-end (non-Windows)
> server. The kicker is that the presentation server is not connected to
> the Authentication Server/KDC, so it cannot authenticate the user. The
> client, presentation server and back-end server are all connected on a
> private LAN, but only the client & back-end are on the intranet. I
> want the client to provide credentials (ticket) to the middle-tier,
> who in turn provides those same credentials to the back-end, without
> the middle-tier doing any authentication himself. I can't find a way
> to do this.
>
> Thanks,
> Pete



Relevant Pages

  • Re: WM5 can not sync to exchange
    ... I checked all the authentication settings and they are as you requested. ... After running the internet connection wizard I had to uncheck the Require ... On the SBS 2003 Server open the Server Management console. ... Open IIS Manager ...
    (microsoft.public.windows.server.sbs)
  • RE: WM5 can not sync to exchange
    ... code 85010014 during ActiveSync with SBS. ... On the SBS 2003 Server open the Server Management console. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ...
    (microsoft.public.windows.server.sbs)
  • Re: WM5 can not sync to exchange
    ... On the SBS 2003 Server open the Server Management console. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ... Collect the IIS metabase on Exchange Server and send to me: ...
    (microsoft.public.windows.server.sbs)
  • RE: Confusion on standard security methodologies.
    ... Application will talk to a back-end SQL ... By "back-end," I assume you mean on a different box from IIS? ... If SQL is on a separate box, you won't be able to use NT authentication ... impersonations (meaning that once passed to the IIS server, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Nokia E50 ActiveSync problem with SBS2003 SP2
    ... Open IIS Manager ... Open properties of virtual directory OMA ... Click Start on your SBS server, ... And then please verify Authentication settings by the following steps. ...
    (microsoft.public.windows.server.sbs)