Re: tricky multi-tier delegation
From: Ken Schaefer (kenREMOVE_at_THISadopenstatic.com)
Date: Tue, 16 Nov 2004 23:53:08 +1100
I don't think this is possible.
Kerberos authentication requires that the client get a ticket to access the
service (the service being IIS). If IIS is using Kerberos authentication, it
won't accept the ticket unless it can validate it.
Delegation is then a subsequent step. Here the webserver (IIS) has been
granted permissions to "act as a the user" - i.e. get a service ticket on
the user's behalf to access the backend server. To get this ticket, IIS
needs to communicate with the KDC - but you say this isn't possible.
What I suppose you can do is have the user supply their credentials using a
non-HTTP based authentication mechanism (eg a HTML form). Your ASP.NET app
can pass that to the backend server, which in turn can verify the
credentials against Active Directory. However, if the backend server is
expecting a kerberos ticket, then this will be difficult, because the IIS
box needs to communicate with the KDC to get a ticket on the user's behalf.
"Pete" <firstname.lastname@example.org> wrote in message
> Is it possible to implement a 2-tier ASP.NET app with delegation to
> the back-end without authenticating the user at the middle-tier?
> I have IIS running a presentation application that needs to delegate
> Kerberos authentication to a proprietary back-end (non-Windows)
> server. The kicker is that the presentation server is not connected to
> the Authentication Server/KDC, so it cannot authenticate the user. The
> client, presentation server and back-end server are all connected on a
> private LAN, but only the client & back-end are on the intranet. I
> want the client to provide credentials (ticket) to the middle-tier,
> who in turn provides those same credentials to the back-end, without
> the middle-tier doing any authentication himself. I can't find a way
> to do this.