Re: Delegating a impersonated account with ASP.NET
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 5 Jan 2006 10:32:07 +1100
a) Verify that Kerberos (and not NTLM) is being used for authentication.
Kerberos is natively delegatable, NTLM is not.
b) Are you accessing the IIS server by http://servername or
http://servername.domainname.com? or some CNAME alias? If the latter you
will probably need to create an SPN
c) Are you running the web app pool under a custom user account (i.e. not
Network Service, Localsystem or Local Service)? If so, you need to register
the SPN under the this user account, and not the machine account (the
machine account is where the SPN is registered by default when IIS is
installed). Use the SetSPN tool from the Windows 2000 Reskit Tools to do
this (you can download from the Microsoft website).
Those are the main things that I can see are missing from your description
below - maybe you've already done/checked these things - not sure from your
description though.
Cheers
Ken
<morten.ostergaard@xxxxxxxxx> wrote in message
news:1136381320.246978.10870@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: Hello,
:
: I'm developing a small file browsing service in ASP.NET and have some
: problems. What I have done is this:
:
: - An ASP.NET site configured with Windows authentication in Web.config
: and in IIS
: - Configured to use impersonation (actually only for the aspx pages
: that does the file browsing service, but also tried it for the whole
: site).
: - Uses the file browsing services in System.IO
:
: It works fine browsing files on the local machine - both through the
: local file paths and UNC paths, and it seems to be using the
: impersonated user for access rights. But as soon as I want to browse
: files on other machines, it doesn't seem to delegate the user. I can
: browse shares on other servers that are set with rights for "Everyone",
: but not shares that the impersonated user has access to.
:
: I have learned from posts on this newsgroup that both the user that is
: being impersonated (the person that accesses the site) and the servers
: involved should be configured to allow delegation, and I have done
: that. The machine running IIS is a member server of a domain and the
: server I'm trying to show shares from are the AD. The AD was already
: set to "trust computer for delegation" in AD Users&Computers and I've
: configured the other computer to do the same. The user is set to
: "Account is trusted for delegation" - that is the user that accesses
: the ASP.NET page. The ASPNET account is on the member server and it
: doesn't have any setting for delegation. Btw. I'm running Windows 2000
: on the servers and XP on the client.
:
: Any ideas anyone? Are there othere places where delegation should be
: switched on? And do I need to do reboots to get the changes in effect?
: I have tried to reboot IIS...
:
: Best regards - and happy new year!
: Morten Ostergaard Nielsen
:
.
- Follow-Ups:
- Re: Delegating a impersonated account with ASP.NET
- From: morten.ostergaard@xxxxxxxxx
- Re: Delegating a impersonated account with ASP.NET
- References:
- Delegating a impersonated account with ASP.NET
- From: morten . ostergaard
- Delegating a impersonated account with ASP.NET
- Prev by Date: Re: How to solve this problem?
- Next by Date: RE: ASP.Net 2.0: Problem User.isinrole() <domain>\<user> instead of <u
- Previous by thread: Delegating a impersonated account with ASP.NET
- Next by thread: Re: Delegating a impersonated account with ASP.NET
- Index(es):
Relevant Pages
|
