Re: Creating files in a unc shared drive.

From: Alex (alex_dinu_at_adp.com.(nospam))
Date: 08/17/05


Date: Wed, 17 Aug 2005 05:21:09 -0700

I'm not sure why my manager doesn't want to enable kerberos delegation in
iis. Running all sites under the user won't be a problem. It's a generic
system user who does have permissions to perform tasks.

Thanks
"Joe Kaplan (MVP - ADSI)" wrote:

> It means all of the other web sites on the machine will have the worker
> process running as your domain account too. This may or may not be a bad
> thing, depending on what it can do.
>
> What's the problem with Kerberos delegation? It is probably the best way to
> solve this problem. The other good way is to put the code that does the UNC
> access in a seperate component and set it up in COM+ to run as your domain
> identity. That way only this piece of code has the special privileges. Of
> course, this is more complicated to implement and deploy, but offers more
> security.
>
> Joe K.
>
> "Alex" <alex_dinu@adp.com.(nospam)> wrote in message
> news:5EE84268-3ACF-49CF-8992-5B5DFB9F0D53@microsoft.com...
> > This is what we ended up doing, and it seems to work:
> >
> > We set the impersonate="false"
> > We set the user name and password in the <processModel> element to an
> > active
> > directory user
> > We gave the user the proper permissions to the unc share
> >
> > I'm not sure of the reasons, but I've been told to try and get it working
> > without Kerebose\delegation.
> >
> > My only concern is the machine.config changes. I'm not sure how it affects
> > the other web sites we have....
>
>
>



Relevant Pages

  • Re: File Server delegation
    ... Identity) using a custom domain account required for Delegation? ... you're going to use kerberos delegation to make the ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Creating files in a unc shared drive.
    ... > system user who does have permissions to perform tasks. ... >> process running as your domain account too. ... >> What's the problem with Kerberos delegation? ... >> Joe K. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Why must credentials be explictly given when user is already l
    ... successful in retrieving information from AD. Doesn't that mean he is ... "Joe Kaplan" wrote: ... I suggest doing a few searches on Kerberos delegation to get you started. ...
    (microsoft.public.dotnet.security)