Delegation with S4U or How to use S4U to impersonate a user on a remote server?

From: Borislav Marinov (bobbymarino_at_engineer.com)
Date: 10/12/05

  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?" 
    Date: 11 Oct 2005 19:04:27 -0700

    How to use S4U to impersonate a user on a remote server (delegation)
    In an Active Directory domain (2003), I have the following setup:
    A Client computer, an application computer, one or more backend servers
    and a domain controller.
    The user connects (remotely) to the application running on the
    application computer.
    The Application uses Services 4 user (S4U) to obtain an delegation
    token for the user {LsaConnectUntrusted +
    LsaLookupAuthenticationPackage(Kerberos) +
    InitializeLSAString(KerbS4ULogon)}. I am using the same code as the one
    by Keith Brown (MSDN Magazine > April 2003 or
    http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/default.aspx?fig=true#fig1).
    I am able to obtain an impersonation token when running as a local
    system but I was unable to obtain a delegation token this way. With
    this token I can impersonate the user on the application machine but
    not on the backend servers.
    I NEED TO BE ABLE TO IMPERSONATE THE USER ON THE BACK-END SERVERS.
    I did setup the AD to trust the application server and since I am able
    to impersonate the user locally (on the application machine) obviously
    the user allows delegation as well.
    Am I missing some AD parameterization or this is not the way to obtain
    a delegation token?
    Thanks a lot,
    Bobby Marinov

  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"

    Relevant Pages

    • How to get a delegation token from S4U
      ... A Client computer, an application computer, one or more backend servers ... The Application uses Services 4 user to obtain an delegation ... I am able to obtain an impersonation token when running as a local ... I did setup the AD to trust the application server and since I am able ...
      (microsoft.public.platformsdk.security)
    • Re: RDNS LOOPING
      ... Are these you two name servers? ... the delegation, and if you don't see an improvement, you simply just remove ... is how most reverse delegations work. ... 174419 - HOWTO Configure a Subnetted Reverse Lookup Zone on Windows NT, ...
      (microsoft.public.windows.server.dns)
    • Re: RDNS LOOPING
      ... >> servers properly refers to my DNS for a reverse lookup and the other ... > I assume this is a straight delegation instead of a Cname delegation, ... > is how most reverse delegations work. ... > 174419 - HOWTO Configure a Subnetted Reverse Lookup Zone on Windows NT, ...
      (microsoft.public.windows.server.dns)
    • RE: accessing WebService from asp.net App on load balanced Servers
      ... for intranet application within a windows domain ... For general info on ASP.NET delegation: ... Servers ... | | Subject: RE: accessing WebService from asp.net App on load balanced ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: IMPACT of (Delegation Control of Group Policy) on Active Directory
      ... directory that could result from delegating control of group policy ... who is only responsible for desktops and laptops (SUPPORT Engineer). ... Exchange, and other print, share and application servers. ... Engineer has delegation of control to create group policies and link them ...
      (microsoft.public.windows.server.active_directory)