Re: The pest of Impersonation
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 3 Oct 2007 10:16:57 -0500
Ok, so in this case it is just the delegation that is failing. This is
actually a good sign.
What you are seeing is that Kerberos auth using impersonation cannot be done
for whatever reason (which we need to figure out), so Negotiate auth tries
NTLM instead and logs in the anonymous (NULL token) user. Since no one in
their right mind grants any access to the anonymous user, you get a 401.
Since it looks like the app pool identity (impersonation off) CAN do Kerb
auth the other web server and you don't have a configuration problem with an
SPN or IIS setting, it looks like you just don't have rights to delegate.
Are you certain that the app pool identity for the front end web server has
permissions to delegate in AD? Also, are the browser clients being
authenticated with Kerberos on the front end? If those two are true, then
delegation should be possible.
It has been a little while since I looked at this thread, so you might have
to remind me exactly which steps have been confirmed.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
right, I have lots more information
I've done some thourough testing, and I've got myself access to the
foreign webserver.
If i access the java webserver via ie....I see "Kerberos" based
authentication events in the security log.
I've tried just about everything under the sun with my website, but
with "impersonation" off, I only ever authenticate as the servername,
with impersonation on (and it doesn't seem to matter what type of
impersonation i use) I get access denied, or more preciecely 401 which
is autorization failed.
I've looked at the Security log on the Java website and when the
asp.net server is not impersonating, I get a kerberos login for the
server name
When impersonation is switched on, I get an "Anonymous Logon" and some
talk of NTLM:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x9FF8B8A)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: asp.net web server
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: removed
Source Port: 1773
So, to summarise
The Java website does accept KERBEROS authentication
I am definatly logged on and authenticated to the ASP.NET website
The authentication isn't getting through when I switch to
impersonation.
Cliff.
.
- Follow-Ups:
- Re: The pest of Impersonation
- From: Cliff
- Re: The pest of Impersonation
- References:
- Re: The pest of Impersonation
- From: Cliff
- Re: The pest of Impersonation
- Prev by Date: Re: Application Flow / security issues
- Next by Date: Re: How to get LDAP server?
- Previous by thread: Re: The pest of Impersonation
- Next by thread: Re: The pest of Impersonation
- Index(es):
Relevant Pages
|
