Re: Constrained delegation question!
- From: Tony201 <Tony201@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 22 Jun 2009 07:13:01 -0700
Hi Joe,
Thanks for the reply. For this application, I have already setup delegation
for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity. In
Active Directory under the delegation tab (for IIS App Pool Identity), I have
allowed delegation to the SQL Server service, however, I don't know how to
allow delegation to the Service Control Manager eg, for SQL Server, under the
delegation tab, I click add and then type in the account that I created the
SQL Server SPN for. For allowing Service Control Manager, which user would I
need to type in and then what service should I add? Alternatively, how would
I setup an SPN to allow delegation to Window Services?
Cheers,
Tan
"Joe Kaplan" wrote:
It should work although I've never tested this scenario..
I'd suggest delegating the SPN for HOST/server to the IIS app pool identity
(or the computer account if you use network service or system) to see if
that works. If you are using the full DNS name to connect to the remote
machine, use that SPN instead. You can also delegate both.
If you are getting Kerberos authentication to the remote machine, then the
constrained delegation should work here. You can check the security event
logs on the remote machine to discover how you are authenticating. If you
get NTLM, then it will not work.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony201" <Tony201@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:53E59DB5-B9AC-4D85-B65C-29667E94C725@xxxxxxxxxxxxxxxx
Can I use constrained delegation to alllow my web application to control
services on a remote server? At the moment, I have code that when run on
my
local machine (XP - no double hop) is able to control services on remote
servers. However, when I move the web application to an IIS server, I get
the
error llisted below. I am guessing that I need to setup an SPN but don't
know
how to do it for the Service Control Manager. Any ideas?
[Win32Exception (0x80004005): Access is denied]
[InvalidOperationException: Cannot open Service Control Manager on
computer
'serverxxxx'. This operation might require other privileges.]
System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
machineName, Int32 serviceControlManaqerAccess) +35775
System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String
machineName) +9
System.ServiceProcess.ServiceController.GetServicesOfType(String
machineName, Int32 serviceType) +143
System.ServiceProcess.ServiceController.GetServices(String machineName)
+9
AutonomyAdmin.test.test2() +400
AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o,
Object t, EventArgs e) +14
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender,
EventArgs e) +35
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +50
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627
- Follow-Ups:
- Re: Constrained delegation question!
- From: Joe Kaplan
- Re: Constrained delegation question!
- References:
- Constrained delegation question!
- From: Tony201
- Re: Constrained delegation question!
- From: Joe Kaplan
- Constrained delegation question!
- Prev by Date: Re: Constrained delegation question!
- Next by Date: Re: Constrained delegation question!
- Previous by thread: Re: Constrained delegation question!
- Next by thread: Re: Constrained delegation question!
- Index(es):
Relevant Pages
|
