Re: Application Pools, Domain User Accounts and Service Principal Names

From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 23 Feb 2006 11:21:27 -0600

Let me know what you find. Note that my issues seem to revolve around
protocol transition/constrained delegation too. I get different/better
results in some cases with straight Kerberos delegation. With PT, the SPN
of the delegating process seems to come into play.

Joe K.

"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be631971b38c806849f2e0aa0@xxxxxxxxxxxxxxxxxxxxx

joe -
you should :)

tooling is "sub-optimal" i agree.

When i get back home i have to try the A vs CNAME thing - if there is
magic involved it must happen on the server - the TGS_REQ looks exactly
the same IMO.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I was afraid you would say that.

However, the problem with it is that sometimes, no Kerberos traffic is
generated at all, so the reason for NTLM failover is unclear. I still
want the tool that tells me why.

I don't want to try to do my work with Ethereal though. :)

Joe K.

"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be631970a88c805ad2ddda0e0@xxxxxxxxxxxxxxxxxxxxx

Hi,
it is called ethereal (www.ethereal.com) :)
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

References:
- Re: Application Pools, Domain User Accounts and Service Principal Names
  - From: Joe Kaplan \(MVP - ADSI\)
- Re: Application Pools, Domain User Accounts and Service Principal Names
  - From: Dominick Baier [DevelopMentor]

Prev by Date: Proxy auth with default credentials
Next by Date: Re: Proxy auth with default credentials
Previous by thread: Re: Application Pools, Domain User Accounts and Service Principal Names
Next by thread: aspnet_setreg with other data
Index(es):
- Date
- Thread

Relevant Pages

Re: About ASP.Net Impersonation
... better solution for sure in terms of tightening up the security. ... delegation working. ... > Hello Joe, ... >>> Our asp.net app needs to access other servers from our IIS servers. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Service Account replaced by IUSR ??
... Joe Kaplan wrote: ... Based on what I read below, it sounds like you just want to use the fixed process account for accessing remote resources, so delegation should not matter. ... you should also able to avoid impersonation as well since you would generally only impersonate if you need to delegate or access local resources with the security context of the authenticated user. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Kerberos S4U problem
... Dominick Baier - DevelopMentor ... does it work from Windows XP or only from Server? ... I have been attempting just this, I have set my local account to have permission to act as part of the operating system and have flaged it as trusted for delegation, however whenever I use this function I get a System.Security exception with the message "Incorrect Function", I get the exact same result if I call LsaLogonUser using the Kerberos S4U format. ...
(microsoft.public.dotnet.security)
Re: Web Server connecting to db server on different machines
... Setting up the various SPNs are enabling constrained delegation (if your AD ... Dominick Baier - DevelopMentor ... You could disable delegation and use a trusted subsystem design to ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: USS Liberty: 1 Down 534 To Go
... > Thanks Joe, ... > at our local VFW and veternans club. ... Write your own Congressional Delegation -- ask them the very simple question ...
(soc.culture.israel)