Re: Kerberos Constrained Delegation for Writing Files
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 29 Apr 2008 11:55:13 -0500
The "service class name" for file shares is cifs, so if you wanted to allow
one service to delegate to the file sharing service on a specific server,
you would use an SPN like cifs/servername. In your case, that should be
cifs/devfs01. You should also be able to use HOST/devfs01 since HOST is an
alias for cifs, but using cifs is more explicit and is likely preferred.
The account running the IIS app pool (the computer account for the machine
if the app pool runs as network service or system) is the account that needs
permissions to delegate and has the "allowed to delegate to" list associated
with it if constrained delegation is being used.
The "backend" parts of the delegation such as the file sharing service in
your case just need to have functional Kerberos authentication in place
which generally just means having the correct SPNs registered in AD. These
are normally set correctly for system level services like file sharing
automatically when the machine is joined to the domain, so this is usually a
good assumption with these types of services.
HTH,
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Debra" <Debra@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2D512295-428F-468A-8F7A-E9D038E8B792@xxxxxxxxxxxxxxxx
We have a web application deployed on web server, devfiniis03v. A user
accessing the web site remotely gets an "access to path denied" message
when
the program tries to write a file elsewhere on the network
(\\devfs01\data\working\TWMS).
We have tried to use constrained delegation through multiple tiers as
described in the document, How To: Use Protocol Transition and
Constrained
Delegation in ASP.NET 2.0 . We have been able to successfully get rid of
the error message and create the file on the network share. However, in
order to do this we had selected the "Trust this computer for delegation
to
any service (Kerberos only) option on the delegation tab of the web
server.
We would like to narrow this down to just the needed service so that we
can
select the "Trust this computer for delegation to specified service only"
option. So we tried this option and selected the devfs01 computer and
w3svc
service. This seemed to work at first but then stopped working. Someone
had
told us that we should select the workstation or server service, but we
didn't see services by those names in the drop down.
What would be the correct service choice? How do you know if the shown
delegation settings are actually in effect? (When we changed back to any
service, it didn't start working right away).
Additionally, we need clarification on which server the delegation is
configured. Is it the web server or the file share? According to the above
mentioned article the web share should delegate to the file share but it
works more consistently when the delegation is on the file share.
.
- Follow-Ups:
- References:
- Prev by Date: Kerberos Constrained Delegation for Writing Files
- Next by Date: Re: Kerberos Constrained Delegation for Writing Files
- Previous by thread: Kerberos Constrained Delegation for Writing Files
- Next by thread: Re: Kerberos Constrained Delegation for Writing Files
- Index(es):
Relevant Pages
|
