Re: Delegation/Basic Authentication - using browsers other than IE
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 11/19/04
- Next message: Ken Cox [Microsoft MVP]: "Re: Article: What is Isolated Storage ? (.Net FrameWork Tools Series)"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Active Directory authority needed in SharePoint Web Part"
- In reply to: Raterus: "Re: Delegation/Basic Authentication - using browsers other than IE"
- Next in thread: Ken Schaefer: "Re: Delegation/Basic Authentication - using browsers other than IE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Nov 2004 11:36:18 -0600
Yeah, I can't help you here. I have no idea what's going on. It would be
interesting to know what kind of token is getting created for the user on
the server as that might explain what's going on. Basic should create a
primary token that doesn't need delegation, but it looks like that might not
be happening.
Without some deeper understanding of the actual tokens getting created, I
have no idea what to tell you.
Sorry,
Joe K.
"Raterus" <moc.liamtoh@suretar.reverse> wrote in message
news:uMOhvjkzEHA.3840@tk2msftngp13.phx.gbl...
Here is my original post. I haven't really gotten past this yet. Thanks
for any help you might add. I'd imagine this may be easily recreated by
anyone by trying another browser besides IE on their ASP/ASP.net pages
(using WIA of course)
-- I'd really like to see my intranet asp.net pages with other browsers, but I'm having a problem when it comes to connecting to SQL Server. My intranet site is configured with Integrated Windows Authentication & Basic Authentication; anonymous access is disabled. I only get these problems when I request a page that uses SQL Server, if the page is just a simple asp page, it works great. Let me run through what I'm doing. I request a page that interfaces with SQL Server, since Integrated windows authentication won't work, it falls back on basic, I enter my credentials (yes I'm entering the right ones!), but get hit with these kind of errors. Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Incidentally, I have already configured delegation on this webserver, and it works perfectly with Internet Explorer/Integrated Windows Authentication. I would think this would be even easier with another browser/basic authentication, since I have to enter my credentials, that should create a primary authentication token on the server for it to use, right? My question is, why is my webserver trying to pass "NT AUTHORITY\anonymous logon" on to SQL Server? Both my webserver and my domain account are "Trusted for Delegation" I've done a little detective work and determined that if I turn off Integrated Windows Authentication, it works like I want it too, unfortunately I can't do this since everyone else uses IE. It's almost as if IIS is not completely falling back onto Basic Authentication. Can someone help me out here! "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:u5eHTjbzEHA.2572@tk2msftngp13.phx.gbl... > Nope! I didn't pipe in because I wasn't sure what the answer was. As I > recall, your scenario was trying to use delegation and WIA, but it wasn't > working, right? Sorry, but I lost the original post. > > Joe K. > > "Raterus" <moc.liamtoh@suretar.reverse> wrote in message > news:OA91CIbzEHA.1188@tk2msftngp13.phx.gbl... > Thanks Joe, any idea on my original problem? > > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote > in message news:OLq8$AZzEHA.1652@TK2MSFTNGP11.phx.gbl... > > protocol transition and constrainted delegation are two seperate things, > > although both 2003 features. > > > > Constrained delegation allows you to limit what other services a specfic > > account can delegate to. In 2000, once you enabled delegation, it was > > all > > or nothing. A service could delegate to anything. > > > > Protocol transition is the ability to switch from non-Kerberos auth to a > > Kerberos token. This can be done programmatically by calling > > LsaLogonUser > > or using the .NET WindowsIdentity constructor that takes the single upn > > argument. However, Windows can also do protocol transition > > automatically. > > Say for example a user was authenticated via NTLM but now needs to be > > delegated. In this case, Windows will do protocol transition > > automatically > > and swtich to using Kerberos so delegation is possible. > > > > There are some really good articles on this stuff that explain it more > > thoroughly, but that is the gist. > > > > Joe K. > > > > "Raterus" <moc.liamtoh@suretar.reverse> wrote in message > > news:OjLJz0XzEHA.3880@TK2MSFTNGP10.phx.gbl... > > Cute, but that isn't exactly Integrated Windows Authentication at it's > > fullest. It's half the battle, but NTLM is a bit older technology and > > isn't > > fully compatible with today's growing intranet applications. My > > original > > issue deals with delegation, and you have to authenticate with Kerberos > > in > > order to have your credentials delegated to another server past the > > webserver. This is not possible with NTLM...well not easily anyway. I > > received this response once for delegation issues "If you are also > > running > > a > > Windows 2003 Domain, then with constrained delegation you can also > > configure > > Protocol Transition" Doesn't sound easy to me! > > > > "John Rusk" <JohnRusk@discussions.microsoft.com> wrote in message > > news:E16FFEFE-A2FC-4A00-8E46-F067E6F12B13@microsoft.com... > > > > You wouldn't happen to have the link to this would you? I can't > > > > find > > > anything on > > > > > > It doesn't seem to be very well publicised. Here are the links I > > > have, > > > below. (I haven't actually tried it yet myself.) > > > > > > http://www.koldark.net/archives/2004/08/26/ntlm_in_firefoxmozilla.php > > > http://rampage.theficus.com/archives/2004/09/firefox_tutoria.html > > > > > > John > > > > > >
- Next message: Ken Cox [Microsoft MVP]: "Re: Article: What is Isolated Storage ? (.Net FrameWork Tools Series)"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Active Directory authority needed in SharePoint Web Part"
- In reply to: Raterus: "Re: Delegation/Basic Authentication - using browsers other than IE"
- Next in thread: Ken Schaefer: "Re: Delegation/Basic Authentication - using browsers other than IE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
