Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?

From: Borislav Marinov (bobbymarino_at_engineer.com)
Date: 10/13/05

• Next message: Borislav Marinov: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
• Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Requested registry access is not allowed."
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
• Next in thread: Borislav Marinov: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
• Reply: Borislav Marinov: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 12 Oct 2005 18:49:04 -0700

I am still getting an "Impersonation" token instead of
"Delegation" token.
Here is my process token before and the impersonation token produced by
this process (note that the impersonation level on the second one IS
NOT DELEGATION):
============= Original Process Token ===========
Token: 0x00000090, PID: 0x00000550, TID: 0x00000d1c
User: 'svctest@KERBEROS', ATTR:0x00000000
Token type: TokenPrimary
Session ID - token:0x00000000, Process:0x00000000
Privilegues :
                 SeTcbPrivilege :
         SeCreateTokenPrivilege :
  SeAssignPrimaryTokenPrivilege :
       SeIncreaseQuotaPrivilege :
         SeImpersonatePrivilege : Enabled DfltEnabled
    SeEnableDelegationPrivilege :
        SeChangeNotifyPrivilege : Enabled DfltEnabled
            SeSecurityPrivilege :
              SeBackupPrivilege :
             SeRestorePrivilege :
          SeSystemtimePrivilege :
            SeShutdownPrivilege :
      SeRemoteShutdownPrivilege :
       SeTakeOwnershipPrivilege :
               SeDebugPrivilege :
   SeSystemEnvironmentPrivilege :
       SeSystemProfilePrivilege :
SeProfileSingleProcessPrivilege :
SeIncreaseBasePriorityPrivilege :
          SeLoadDriverPrivilege :
      SeCreatePagefilePrivilege :
              SeUndockPrivilege :
        SeManageVolumePrivilege :
        SeCreateGlobalPrivilege : Enabled DfltEnabled
      SeMachineAccountPrivilege :

============= Impersonation Token ===========
Token: 0x000000a4, PID: 0x00000550, TID: 0x00000d1c
User: 'testsvc@KERBEROS', ATTR:0x00000000
Token type: TokenImpersonation
Session ID - token:0x00000000, Process:0x00000000
ImpersonationLvl: SecurityImpersonation
Privilegues :
               SeTcbPrivilege : Enabled DfltEnabled
       SeCreateTokenPrivilege : Enabled DfltEnabled
SeAssignPrimaryTokenPrivilege : Enabled DfltEnabled
       SeImpersonatePrivilege : Enabled DfltEnabled
  SeEnableDelegationPrivilege : Enabled DfltEnabled
      SeChangeNotifyPrivilege : Enabled DfltEnabled
    SeMachineAccountPrivilege : Enabled DfltEnabled

• Next message: Borislav Marinov: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
• Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Requested registry access is not allowed."
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
• Next in thread: Borislav Marinov: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
• Reply: Borislav Marinov: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: accessing WebService from asp.net App on load balanced Servers ... Would Constrained Delegation not give me a solution here? ... Original user impersonation will carry through to the back end server?? ... (microsoft.public.dotnet.framework.aspnet.security) Re: Kerberos delegation trauma ... Kerberos delegation won't solve this. ... > when the tool on my machine tries to access the server. ... On my machine I have set IE to have Enable Integrated Windows ... > my IIS for my web application directory and have impersonation set ... (microsoft.public.dotnet.framework.aspnet.security) Re: Expired Tickets - Delegation vs S4U ... I haven't as yet tried this method of mixing the two delegation models ... question is will it get round the ticket lifetime of ten hours - do S4U ... go from integrated authentication (with impersonation disabled at the ... Standard Kerberos delegation is being used for the authentication ... (microsoft.public.dotnet.framework.aspnet.security) Re: Service Account replaced by IUSR ?? ... Joe Kaplan wrote: ... Based on what I read below, it sounds like you just want to use the fixed process account for accessing remote resources, so delegation should not matter. ... you should also able to avoid impersonation as well since you would generally only impersonate if you need to delegate or access local resources with the security context of the authenticated user. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Application Flow / security issues ... just disable impersonation and make sure your process identity (the app ... If you have to delegate and can't configure Kerberos delegation, ... You want to use the credentials of the authenticated web app user to ... Kerberos authentication to the web app is enabled and working ... (microsoft.public.dotnet.framework.aspnet.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint