Kerberos Constrained Delegation for Writing Files

---

• From: Debra <Debra@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 29 Apr 2008 09:04:02 -0700

---

We have a web application deployed on web server, devfiniis03v. A user
accessing the web site remotely gets an “access to path denied” message when
the program tries to write a file elsewhere on the network
(\\devfs01\data\working\TWMS).



We have tried to use constrained delegation through multiple tiers as
described in the document, How To: Use Protocol Transition and Constrained
Delegation in ASP.NET 2.0 . We have been able to successfully get rid of
the error message and create the file on the network share. However, in
order to do this we had selected the “Trust this computer for delegation to
any service (Kerberos only) option on the delegation tab of the web server.
We would like to narrow this down to just the needed service so that we can
select the “Trust this computer for delegation to specified service only”
option. So we tried this option and selected the devfs01 computer and w3svc
service. This seemed to work at first but then stopped working. Someone had
told us that we should select the workstation or server service, but we
didn’t see services by those names in the drop down.



What would be the correct service choice? How do you know if the shown
delegation settings are actually in effect? (When we changed back to any
service, it didn’t start working right away).

Additionally, we need clarification on which server the delegation is
configured. Is it the web server or the file share? According to the above
mentioned article the web share should delegate to the file share but it
works more consistently when the delegation is on the file share.


.

---

• Follow-Ups:
  • Re: Kerberos Constrained Delegation for Writing Files
    • From: Joe Kaplan

• Prev by Date: Re: Does .NET 2.0 have classes to create a SAML Assertion
• Next by Date: Re: Kerberos Constrained Delegation for Writing Files
• Previous by thread: Separate session timeouts for individual users
• Next by thread: Re: Kerberos Constrained Delegation for Writing Files
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Access denied. delegation scenario accessing to a shared resource in cluster ... Depending on how your web server is configured ... for delegation, ... application via Kerberos too. ... web server and the cluster server and find out what kind of authentication ... (microsoft.public.dotnet.framework.aspnet.security) Re: CA web component problems ... Could you please confirm that the Enterprise Admin account you are using is ... > for delegation via the ADUC check box. ... is there a way to install the Web enrollment pages ... >>> enabled the web server for delegation via ADUC and rebooted the ... (microsoft.public.win2000.security) Re: Remote process with network access ... If you have a internet-exposed web server, ... If yes, via Windwos-Integrated-Authentication, or via SSL? ... than delegation OFF will not save you. ... > able to access other boxes on the network. ... (microsoft.public.win32.programmer.wmi) Re: access to network file server through web server denied ... For setting up Kerberos and Delegation, I have a set of FAQ available here: ... On our local developer's web server (It can be IIS 5 on Windows XP ... Integrated windows authentication> checked. ... (microsoft.public.inetserver.iis.security) Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server? ... constrained delegation, the Web server's ticket won't be marked ok-as-delegate. ... Kerberos TGT forwarding, which is what happens when you use the Windows 2000-compatible ... handshake with the Web server, and the Web server uses a special extension ... (microsoft.public.dotnet.framework.aspnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)