Re: Kerberos delegation trauma
From: Mandy (Mandy_at_discussions.microsoft.com)
Date: 01/19/05
- Next message: Arne: "Frontpage Server Extension a security problem?"
- Previous message: techmaccoy: "Help! Registry Listing only Partial Entries??"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Kerberos delegation trauma"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Kerberos delegation trauma"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Kerberos delegation trauma"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Jan 2005 03:25:06 -0800
I have created a dll which has the code that creates a process that calls the
command line tool. I have imported this dll into my web application and call
it but still recieve the same error.... Is there anything else I have to do
to get Kerberos delegation working? Also, are there any alternative methods
to allow my tool to access resources on another machine?
Thanks for all your help!
"Joe Kaplan (MVP - ADSI)" wrote:
> Remember, processes launched with the Process class will use the underlying
> process' security token, not the impersonated user's security token. Thus,
> your process will likely launch under ASPNET or NETWORK SERVICE (depending
> on OS and configuration). That is probably the root of your problem.
> Kerberos delegation won't solve this.
>
> If you want Kerb delegation to come into play, you need to load the code you
> want to call in process via a DLL or something.
>
> Joe K.
>
> "Mandy" <Mandy@discussions.microsoft.com> wrote in message
> news:3E2ED4ED-3377-4DFD-8D3C-146D323EFAB1@microsoft.com...
> > Hi,
> >
> > I have a .NET web application (C#) which calls a command line tool (using
> > Process object). This tool in turn invokes another tool on another server
> > by
> > passing that servers IP address as an argument, however, an errors occurs
> > when the tool on my machine tries to access the server. I have placed the
> > exact same code in a Windows application and a console application, and
> > they
> > work fine, so I am under the impression I have a permissions/security
> > problem.
> >
> > I have tried to implement Kerberos delegation using Microsofts KB article
> > 810572 (configure ASP.NET application for a delegation scenario) but with
> > no
> > luck. On my machine I have set IE to have Enable Integrated Windows
> > Authentication to true, the EnableNegotiate in registry was already set to
> > 1.
> > I have also only have 'Intergrated Windows authentication' option checked
> > on
> > my IIS (5.0) for my web application directory and have impersonation set
> > to
> > true in my web.config with authentication set to Windows.
> >
> > In Active Directory I have set my computer to have 'Trust computer for
> > delegation' selected, as well as for the server thats needs to be
> > accessed.
> > The user account on the server that I want to impersonate also has
> > 'Account
> > is trusted for delegation' selected and 'Account is sensitve and cannot be
> > delegated' unselected, and this account is impersonated in my web.config.
> > Admittidly, I did get rather confused with this section so not sure if
> > this
> > is all correct and I still I can't get my tool to run correctly.... ARGH!
> >
> > If anyone has any suggestions or can see anything I have done wrong please
> > let me know, it will be more than appreciated!!
> >
> > CHEERS!!
> >
> > Mandy
>
>
>
- Next message: Arne: "Frontpage Server Extension a security problem?"
- Previous message: techmaccoy: "Help! Registry Listing only Partial Entries??"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Kerberos delegation trauma"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Kerberos delegation trauma"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Kerberos delegation trauma"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
