Re: Constrained delegation question!


Hi Joe,

You are right there is a service called HOST on the target server which I
have now delegated to the IIS AppPool account. However I am still getting
access denied. The one thing I forgot to mention in my earlier posts is that
when I browse to the application locally (i.e on the web server), it works,
however, when I browse to it from an XP box I get access denied.

The thing that perplexes me is that there are no faillure audit events on
any of the servers including the domain controllers. The only 2 events that
might be related i.e they are generated everytime I browse to the application
from my XP box and they mention the web server name. I have listed these
below.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 23/06/2009
Time: 10:22:03
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: TARGET-SERVER
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x7D98711)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: WEB-SERVER
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.16.224.1
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 23/06/2009
Time: 10:22:06
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: TARGET-SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x7D98711)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


"Joe Kaplan" wrote:

The account to delegate to would be the domain computer account for the
machine running the services. I think you should be able to use the service
type "HOST" which is a wildcard for a bunch of stuff and typically covers
these built in RPC things like remote management.

I'm not sure what this would look like in the GUI exactly. I usually make
this type of change using a lower level tool but hopefully this gives you
the idea.

You should not need to create a new SPN though. You are just delegating to
an existing one. The HOST/xxx SPNs for the computer account are created
automatically when the machine is joined to the domain.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony201" <Tony201@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2C4151CD-7BE0-4DD4-8D29-B6503FADE28A@xxxxxxxxxxxxxxxx
Hi Joe,

Thanks for the reply. For this application, I have already setup
delegation
for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity.
In
Active Directory under the delegation tab (for IIS App Pool Identity), I
have
allowed delegation to the SQL Server service, however, I don't know how to
allow delegation to the Service Control Manager eg, for SQL Server, under
the
delegation tab, I click add and then type in the account that I created
the
SQL Server SPN for. For allowing Service Control Manager, which user would
I
need to type in and then what service should I add? Alternatively, how
would
I setup an SPN to allow delegation to Window Services?

Cheers,
Tan

"Joe Kaplan" wrote:

It should work although I've never tested this scenario.

I'd suggest delegating the SPN for HOST/server to the IIS app pool
identity
(or the computer account if you use network service or system) to see if
that works. If you are using the full DNS name to connect to the remote
machine, use that SPN instead. You can also delegate both.

If you are getting Kerberos authentication to the remote machine, then
the
constrained delegation should work here. You can check the security
event
logs on the remote machine to discover how you are authenticating. If
you
get NTLM, then it will not work.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
"Tony201" <Tony201@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:53E59DB5-B9AC-4D85-B65C-29667E94C725@xxxxxxxxxxxxxxxx
Can I use constrained delegation to alllow my web application to
control
services on a remote server? At the moment, I have code that when run
on
my
local machine (XP - no double hop) is able to control services on
remote
servers. However, when I move the web application to an IIS server, I
get
the
error llisted below. I am guessing that I need to setup an SPN but
don't
know
how to do it for the Service Control Manager. Any ideas?

[Win32Exception (0x80004005): Access is denied]

[InvalidOperationException: Cannot open Service Control Manager on
computer
'serverxxxx'. This operation might require other privileges.]

System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
machineName, Int32 serviceControlManaqerAccess) +35775

System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String
machineName) +9
System.ServiceProcess.ServiceController.GetServicesOfType(String
machineName, Int32 serviceType) +143
System.ServiceProcess.ServiceController.GetServices(String
machineName)
+9
AutonomyAdmin.test.test2() +400
AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object
o,
Object t, EventArgs e) +14
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object
sender,
EventArgs e) +35
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +50
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
+627





.

Relevant Pages

  • Re: Single Sign On using NTLM
    ... You should be able to Kerb auth from your client to your server by specifying an SPN on the service account that runs the service and then specifying that SPN in your target parameter for your NegotiateStream. ... Getting this working can be a bit of a pain and will likely require that you read up on the TechNet docs on implementing constrained delegation and protocol transition. ...
    (microsoft.public.dotnet.security)
  • Re: Delegation: IIS Server setup in typical 3-tier scenario.
    ... doesn't already have an SPN and/or you need to change the existing SPN. ... Kerberos is being used - it just means that an API is used to determine what ... so I'm trying to set up delegation. ... Authenticated using NTLM not Kerberos on the Web Server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: SPN for SSL over common name
    ... That SPN should be registered under the SQL ... Server's service account and *removed* from the SQL Server's ... Lastly, since the SQL Server is not being used for delegation anywhere, it's ...
    (microsoft.public.inetserver.iis.security)
  • Re: Constrained delegation question!
    ... remote server running the services in terms of the security audits on the ... AUTHORITY\ANONYMOUS LOGON event. ... you won't be able to get Kerb delegation to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Unix Bind and Windows DNS coexist problem with forwarder ON
    ... not a web server. ... Here is the MS KB link of how i setup in Microsoft DNS server. ... I setup delegation in UNIX BIND server to Windows 2003 ... >>> The above does not describe delegation. ...
    (microsoft.public.windows.server.dns)