Re: Kerberos Constrained Delegation for Writing Files



The "service class name" for file shares is cifs, so if you wanted to allow
one service to delegate to the file sharing service on a specific server,
you would use an SPN like cifs/servername. In your case, that should be
cifs/devfs01. You should also be able to use HOST/devfs01 since HOST is an
alias for cifs, but using cifs is more explicit and is likely preferred.

The account running the IIS app pool (the computer account for the machine
if the app pool runs as network service or system) is the account that needs
permissions to delegate and has the "allowed to delegate to" list associated
with it if constrained delegation is being used.

The "backend" parts of the delegation such as the file sharing service in
your case just need to have functional Kerberos authentication in place
which generally just means having the correct SPNs registered in AD. These
are normally set correctly for system level services like file sharing
automatically when the machine is joined to the domain, so this is usually a
good assumption with these types of services.

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Debra" <Debra@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2D512295-428F-468A-8F7A-E9D038E8B792@xxxxxxxxxxxxxxxx
We have a web application deployed on web server, devfiniis03v. A user
accessing the web site remotely gets an "access to path denied" message
when
the program tries to write a file elsewhere on the network
(\\devfs01\data\working\TWMS).



We have tried to use constrained delegation through multiple tiers as
described in the document, How To: Use Protocol Transition and
Constrained
Delegation in ASP.NET 2.0 . We have been able to successfully get rid of
the error message and create the file on the network share. However, in
order to do this we had selected the "Trust this computer for delegation
to
any service (Kerberos only) option on the delegation tab of the web
server.
We would like to narrow this down to just the needed service so that we
can
select the "Trust this computer for delegation to specified service only"
option. So we tried this option and selected the devfs01 computer and
w3svc
service. This seemed to work at first but then stopped working. Someone
had
told us that we should select the workstation or server service, but we
didn't see services by those names in the drop down.



What would be the correct service choice? How do you know if the shown
delegation settings are actually in effect? (When we changed back to any
service, it didn't start working right away).

Additionally, we need clarification on which server the delegation is
configured. Is it the web server or the file share? According to the above
mentioned article the web share should delegate to the file share but it
works more consistently when the delegation is on the file share.




.



Relevant Pages

  • Re: UNC Virtual Directories; NTFS permission authentication not ac
    ... Every server is Windows 2003 R2. ... I had delegation enabled on the web server to the file server for the HOST ... What OS is providing the CIFS file services? ...
    (microsoft.public.inetserver.iis.security)
  • Re: Constrained delegation question!
    ... remote server running the services in terms of the security audits on the ... AUTHORITY\ANONYMOUS LOGON event. ... you won't be able to get Kerb delegation to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Unix Bind and Windows DNS coexist problem with forwarder ON
    ... not a web server. ... Here is the MS KB link of how i setup in Microsoft DNS server. ... I setup delegation in UNIX BIND server to Windows 2003 ... >>> The above does not describe delegation. ...
    (microsoft.public.windows.server.dns)
  • Re: Constrained delegation question!
    ... You are right there is a service called HOST on the target server which I ... You should not need to create a new SPN though. ... Active Directory under the delegation tab, ... For allowing Service Control Manager, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Constrained delegation question!
    ... You are right there is a service called HOST on the target server which I ... You should not need to create a new SPN though. ... Active Directory under the delegation tab, ... For allowing Service Control Manager, ...
    (microsoft.public.dotnet.framework.aspnet.security)