Re: How to start/stop windows service on a remote machine?

Hello Steven,
You are absolutelly right in your assumption. I was able to make it work by
using choice #2 (Basic Authentication).

However, I did run into another problem. My website was previously
configured to use Integrated Authentication only, but now I cannot use it
because the "double hop" issue comes up, if I use both Basic and Integrated
Authentication. It looks like Integrated overrides Basic.

Is there a way I could combine these two, and eliminate "double hop" issue?

Thanks a lot.
Goran Djuranovic


"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:mWjB1bkVHHA.1860@xxxxxxxxxxxxxxxxxxxxxxxxx
Hello Goran,

From your description, I understand you have an ASP.NET application which
impersonate the client user(authenticated via integrated windows
authentication in IIS) and access some remote protected resource(windows
service on remote machine). You find the access works when try visiting
the
web application from the webserver locally, but fails when access from
other remote client, correct?

Based on my experience, the problem you meet is a typical windows
authentication's double hop issue. For windows authenticated user, the
windows system issue a security token, for example, when the client use
browser to visit your web application, IIS(windows authentication)
authenticate the client user and issue a windows token at server-side,
this
token can represent that certain windows account to access protected
resource on the web server. However, if the webserver(ASP.NET application)
want to continue access other remote machine, this originally
authenticated
token will not be able to go acorss the machine boundary. This is called
"double hop" limitation. Here is a blog article which detailedly describe
this:

#Concerning the credentials double hop issue
http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx

The reason why you can get it work when visit ASP.NET application locally
is because when accessing locally, the webserver(IIS and your application)
directly obtain the security token from your logon session on the
webserver, this token hasn't go through any hop previously, therefore, it
can be forwarded to a further remote machine.

As the above article has mentioned, generally we can consider several
means
to workaround it:

** use basic authentication (with HTTPS) since basic authentication get
clear text credential from client and the authenticated token can be
double
hopped

** use code to programmatically perform impersonate in our ASP.NET
application, this will need us to supply clear text username/password
credentials

** configure our webserver, the remote machine(to configure windows
service) and the windows accounts that will play in the application be
delegatable. Thus, we can use kerberos delegation which can also overcome
the double hop limitation. however, configure kerberos delegation is quite
complex which will require particular configuration on both client, server
and remote machines.

** Always use a fixed account(domain account) to access the further remote
server

If you have anything unclear on this or if you have any other particular
questions, please feel free to let me know.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no
rights.











.

Relevant Pages

  • RE: How to start/stop windows service on a remote machine?
    ... impersonate the client user(authenticated via integrated windows ... authentication in IIS) and access some remote protected resource(windows ... the problem you meet is a typical windows ... want to continue access other remote machine, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ...
    (microsoft.public.windows.server.security)
  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ...
    (microsoft.public.inetserver.iis.security)
  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • RE: Beginners Questions
    ... We do use Windows form on the presentation layer which is on ... terminal server and call web services on the business logic side. ... of using "proxy" authentication on SQL Server. ... > I have written an app with a Windows Forms UI that is deployed to clients ...
    (microsoft.public.dotnet.distributed_apps)