Re: The pest of Impersonation
- From: Cliff <Junk@xxxxxxxxxxxxx>
- Date: Wed, 03 Oct 2007 07:41:54 -0700
On 27 Sep, 22:29, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi Cliff,
You need to find out whether it is possible to do Kerberos-based auth to the
Java web site that you are calling from the server that you are connecting
from. If Kerb auth is possible there, then delegation is also possible
here.
If you don't have access to that server, you won't be able to see its event
logs. However, you can look at the network traces taken from the front end
web server and examine the traffic to the backend. If Kerberos auth is
being performed, then you'll see that. If it is falling over to NTLM, then
you'll see that instead (although it may not be easy to tell what you are
looking at from a network level if you haven't had much experience looking
at these traces).
The tool I like to use for testing Kerberos auth for HTTP endpoints is a
little GUI tool that comes with the IIS 6 Resource Kit (free download)
called wfetch. It allows you to issue an HTTP request of your choice (GET,
POST, etc.) to a resource and specify the auth you want to do and the
credentials you want to use. To test Kerberos auth, you would select the
Negotiate authentication protocol option. With some experience, you may be
able to tell what type of auth was performed simply by looking at the HTTP
traffic that wfetch shows. However, combining that with a network sniff
will tell you.
Like I said, this stuff can be pretty hard to troubleshoot.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--
ok, I've made the changes to AD, to allow the relavant services to do
any form of delegation
I've re-booted and still nothing.
I checked the security event log of my web site and authentication to
my website is Kerberos, and appears to be working fine.
I don't have any access to the other "Java" based website, so I'm un-
able to tell how that is doing authentication.
Surely there's some way in dotnet I could monitor that...to see what
the code is doing and how my authentication is being done on the
foreign machine.
Would it show up if I were to monitor the network traffic using
ehereal or something like that?
Cliff.- Hide quoted text -
- Show quoted text -
right, I have lots more information
I've done some thourough testing, and I've got myself access to the
foreign webserver.
If i access the java webserver via ie....I see "Kerberos" based
authentication events in the security log.
I've tried just about everything under the sun with my website, but
with "impersonation" off, I only ever authenticate as the servername,
with impersonation on (and it doesn't seem to matter what type of
impersonation i use) I get access denied, or more preciecely 401 which
is autorization failed.
I've looked at the Security log on the Java website and when the
asp.net server is not impersonating, I get a kerberos login for the
server name
When impersonation is switched on, I get an "Anonymous Logon" and some
talk of NTLM:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x9FF8B8A)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: asp.net web server
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: removed
Source Port: 1773
So, to summarise
The Java website does accept KERBEROS authentication
I am definatly logged on and authenticated to the ASP.NET website
The authentication isn't getting through when I switch to
impersonation.
Cliff.
.
- Follow-Ups:
- Re: The pest of Impersonation
- From: Joe Kaplan
- Re: The pest of Impersonation
- Prev by Date: Re: Application Flow / security issues
- Next by Date: Re: Application Flow / security issues
- Previous by thread: Application Flow / security issues
- Next by thread: Re: The pest of Impersonation
- Index(es):
Relevant Pages
|
