Re: tricky multi-tier delegation
From: Ken Schaefer (kenREMOVE_at_THISadopenstatic.com)
Date: 11/16/04
- Next message: Ken Schaefer: "Re: ASP.NET Authentication and Windows Authentication"
- Previous message: Ken Schaefer: "Re: ASP.NET Authentication and Windows Authentication"
- In reply to: Pete: "tricky multi-tier delegation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Nov 2004 23:53:08 +1100
I don't think this is possible.
Kerberos authentication requires that the client get a ticket to access the
service (the service being IIS). If IIS is using Kerberos authentication, it
won't accept the ticket unless it can validate it.
Delegation is then a subsequent step. Here the webserver (IIS) has been
granted permissions to "act as a the user" - i.e. get a service ticket on
the user's behalf to access the backend server. To get this ticket, IIS
needs to communicate with the KDC - but you say this isn't possible.
What I suppose you can do is have the user supply their credentials using a
non-HTTP based authentication mechanism (eg a HTML form). Your ASP.NET app
can pass that to the backend server, which in turn can verify the
credentials against Active Directory. However, if the backend server is
expecting a kerberos ticket, then this will be difficult, because the IIS
box needs to communicate with the KDC to get a ticket on the user's behalf.
Cheers
Ken
"Pete" <peter.gehrman@unisys.com> wrote in message
news:bfca4620.0411111023.5da35c4e@posting.google.com...
> Is it possible to implement a 2-tier ASP.NET app with delegation to
> the back-end without authenticating the user at the middle-tier?
>
> I have IIS running a presentation application that needs to delegate
> Kerberos authentication to a proprietary back-end (non-Windows)
> server. The kicker is that the presentation server is not connected to
> the Authentication Server/KDC, so it cannot authenticate the user. The
> client, presentation server and back-end server are all connected on a
> private LAN, but only the client & back-end are on the intranet. I
> want the client to provide credentials (ticket) to the middle-tier,
> who in turn provides those same credentials to the back-end, without
> the middle-tier doing any authentication himself. I can't find a way
> to do this.
>
> Thanks,
> Pete
- Next message: Ken Schaefer: "Re: ASP.NET Authentication and Windows Authentication"
- Previous message: Ken Schaefer: "Re: ASP.NET Authentication and Windows Authentication"
- In reply to: Pete: "tricky multi-tier delegation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
