Re: Kerberos Constrained Delegation For Access To Single Application P
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 25 Apr 2006 00:28:44 +1000
The client gets a Kerberos service ticket based on the FQDN of the remote
service.
You will need to setup a unique FQDN for the resources in question (provided
that it's running under HTTP or HTTPS, or alternatively you can use a unique
port)
The FQDN needs to run under a single user account.
You register the SPN under that account for the FQDN in question.
Cheers
Ken
"Seen "The Bean"" <SeenTheBean@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:00DEC012-66DD-4BAB-B419-5AFFB49C2B81@xxxxxxxxxxxxxxxx
Is there some way to configure a service account used to run an ASP.NET
application pool to delegate identity only to specific virtual directories
or
application pools on a remote server?
From what I've read, I've only ever seen constaining delegation down to
the
HTTP service on a web service. This is insufficient for our scenarios
because we have many applications that run in various farms and want to
control access between specific applications.
For example:
- 2 Web Servers
- Server 1 Has Web Services: A & B
- Server 2 Has Web Services: C & D
- Web Service A should be able to delegate identity to web service C, but
not D
- Web Service B should be able to delegate identity to web service D, but
not C
- A & B Can Run as separate service accounts
How do I restrict access from the various service accounts to only
specific
virtual directories or application pools on a server?
Possible?
Thanks!
.
- Prev by Date: Re: Authentication from Active Directory and Database based user d
- Next by Date: Re: Authentication from Active Directory and Database based user d
- Previous by thread: Re: Kerberos Constrained Delegation For Access To Single Application P
- Next by thread: controll access to aspx.page
- Index(es):
Relevant Pages
|
|
