Re: Constrained delegation question!
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 22 Jun 2009 08:26:41 -0500
It should work although I've never tested this scenario.
I'd suggest delegating the SPN for HOST/server to the IIS app pool identity (or the computer account if you use network service or system) to see if that works. If you are using the full DNS name to connect to the remote machine, use that SPN instead. You can also delegate both.
If you are getting Kerberos authentication to the remote machine, then the constrained delegation should work here. You can check the security event logs on the remote machine to discover how you are authenticating. If you get NTLM, then it will not work.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony201" <Tony201@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:53E59DB5-B9AC-4D85-B65C-29667E94C725@xxxxxxxxxxxxxxxx
Can I use constrained delegation to alllow my web application to control
services on a remote server? At the moment, I have code that when run on my
local machine (XP - no double hop) is able to control services on remote
servers. However, when I move the web application to an IIS server, I get the
error llisted below. I am guessing that I need to setup an SPN but don't know
how to do it for the Service Control Manager. Any ideas?
[Win32Exception (0x80004005): Access is denied]
[InvalidOperationException: Cannot open Service Control Manager on computer
'serverxxxx'. This operation might require other privileges.]
System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
machineName, Int32 serviceControlManaqerAccess) +35775
System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String machineName) +9
System.ServiceProcess.ServiceController.GetServicesOfType(String
machineName, Int32 serviceType) +143
System.ServiceProcess.ServiceController.GetServices(String machineName) +9
AutonomyAdmin.test.test2() +400
AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o,
Object t, EventArgs e) +14
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender,
EventArgs e) +35
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +50
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627
.
- Follow-Ups:
- Re: Constrained delegation question!
- From: Tony201
- Re: Constrained delegation question!
- References:
- Constrained delegation question!
- From: Tony201
- Constrained delegation question!
- Prev by Date: Constrained delegation question!
- Next by Date: Re: Constrained delegation question!
- Previous by thread: Constrained delegation question!
- Next by thread: Re: Constrained delegation question!
- Index(es):
