Re: Constrained delegation question!


The account to delegate to would be the domain computer account for the machine running the services. I think you should be able to use the service type "HOST" which is a wildcard for a bunch of stuff and typically covers these built in RPC things like remote management.

I'm not sure what this would look like in the GUI exactly. I usually make this type of change using a lower level tool but hopefully this gives you the idea.

You should not need to create a new SPN though. You are just delegating to an existing one. The HOST/xxx SPNs for the computer account are created automatically when the machine is joined to the domain.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony201" <Tony201@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:2C4151CD-7BE0-4DD4-8D29-B6503FADE28A@xxxxxxxxxxxxxxxx
Hi Joe,

Thanks for the reply. For this application, I have already setup delegation
for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity. In
Active Directory under the delegation tab (for IIS App Pool Identity), I have
allowed delegation to the SQL Server service, however, I don't know how to
allow delegation to the Service Control Manager eg, for SQL Server, under the
delegation tab, I click add and then type in the account that I created the
SQL Server SPN for. For allowing Service Control Manager, which user would I
need to type in and then what service should I add? Alternatively, how would
I setup an SPN to allow delegation to Window Services?

Cheers,
Tan

"Joe Kaplan" wrote:

It should work although I've never tested this scenario.

I'd suggest delegating the SPN for HOST/server to the IIS app pool identity
(or the computer account if you use network service or system) to see if
that works. If you are using the full DNS name to connect to the remote
machine, use that SPN instead. You can also delegate both.

If you are getting Kerberos authentication to the remote machine, then the
constrained delegation should work here. You can check the security event
logs on the remote machine to discover how you are authenticating. If you
get NTLM, then it will not work.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony201" <Tony201@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:53E59DB5-B9AC-4D85-B65C-29667E94C725@xxxxxxxxxxxxxxxx
> Can I use constrained delegation to alllow my web application to > control
> services on a remote server? At the moment, I have code that when run > on
> my
> local machine (XP - no double hop) is able to control services on > remote
> servers. However, when I move the web application to an IIS server, I > get
> the
> error llisted below. I am guessing that I need to setup an SPN but > don't
> know
> how to do it for the Service Control Manager. Any ideas?
>
> [Win32Exception (0x80004005): Access is denied]
>
> [InvalidOperationException: Cannot open Service Control Manager on
> computer
> 'serverxxxx'. This operation might require other privileges.]
>
> System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
> machineName, Int32 serviceControlManaqerAccess) +35775
>
> System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String
> machineName) +9
> System.ServiceProcess.ServiceController.GetServicesOfType(String
> machineName, Int32 serviceType) +143
> System.ServiceProcess.ServiceController.GetServices(String > machineName)
> +9
> AutonomyAdmin.test.test2() +400
> AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
> System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object > o,
> Object t, EventArgs e) +14
> System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object > sender,
> EventArgs e) +35
> System.Web.UI.Control.OnLoad(EventArgs e) +99
> System.Web.UI.Control.LoadRecursive() +50
> System.Web.UI.Page.ProcessRequestMain(Boolean
> includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) > +627
>



.

Relevant Pages

  • Re: Constrained delegation question!
    ... for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity. ... Active Directory under the delegation tab, ... SQL Server SPN for. ... If you are getting Kerberos authentication to the remote machine, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Problems with authentication/impersonation
    ... computer account (that's my 'control' computer yeah, ... Dim options = New ConnectionOptions ... > the WMI Server in Active Directory to be enabled for delegation? ...
    (microsoft.public.dotnet.languages.vb)
  • Re: IIS6 - Integrated Authentication Probs
    ... Computer Account trusted for delegation ... > You must enable delegation for the computer's account ...
    (microsoft.public.inetserver.iis.security)
  • Re: Table does not exist error
    ... I'm only using ADO because I'm used to VBScript programming, ... I have the member server computer account trusted for delegation. ... The user's credentials are used to access the user object and modify ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Table does not exist error
    ... If you are trying to delegate without protocol transition (don't have "trusted for delegation with any protocol" configured in AD for the computer account along with constrained delegation to AD), then you need Kerb auth in IIS to get this to work. ... The user's credentials are used to access the user object and modify their ... con = CreateObject ...
    (microsoft.public.dotnet.framework.aspnet.security)
Quantcast