Delegate user credentials (double-hop issue)

From: morosan liviu via .NET 247 (anonymous_at_dotnet247.com)
Date: 06/14/04

  • Next message: Richard Grimes [MVP]: "Re: HOW? Capture output stream as byte array" 
    Date: Mon, 14 Jun 2004 08:13:35 -0700

    Hi,everyone!
    I tried to use the Net security library from "Microsoft Remoting Security..." sample in order to solve the double-hop problem.I want to access a database server(situated on computer C) from a windows service running under Local system account(on computer B) using the credentials of a client logged on computer A.
    When I impersonate the user inside windows service (on comp. B) even if Thread.CurrentPrincipal.Identity.Name return me the name of the Client logged on computer A .the connection to the RDB give me the "Logging failed for user NT_AUTHORITY\SYSTEM".
    In Active Directory I have:
    Account is sensitive and cannot be delegated? not checked for Comp A (but ?Account is trusted for delegation' is checked);
    and for comp B the checkbox "Trusted for delegation" checked.
    Could be a problem of Active Directory?
    All computer are running under AD domain.(win 2k server)
    Thanks Liviu

    -----------------------
    Posted by a user from .NET 247 (http://www.dotnet247.com/)

    <Id>k1j8Wl3fnk2sHg2O+WEVAg==</Id>

  • Next message: Richard Grimes [MVP]: "Re: HOW? Capture output stream as byte array"

    Relevant Pages

    • Re: Avoiding password history setting
      ... I am spending most of my time right now putting the final touches on O'Reilly's Active Directory 3rd Edition. ... They should have a setting to specify history in the product itself, you shouldn't need to use the domain policy for that to be enforced. ... Further, I know their product works with a delegated account, I wouldn't let them use anything else and they had to correct the product to work. ... As for delegation, there is nothing that walks through every single possible thing you can click on as it is extensiable. ...
      (microsoft.public.windows.server.active_directory)
    • Re: domain local group
      ... But I'm curious, as far as adding a user to a domain local group, which is one of the best practice methods to administer group nesting, what is your intentions? ... Here is some additional information on delegation, but Meinolf and Florian already provided you on the default ability of a user account to add computers. ... Best Practices for Delegating Active Directory ...Nov 25, ...
      (microsoft.public.windows.server.active_directory)
    • Re: accessing Active Directory
      ... I find the document and tried to apply the delegation in the active directory ... then I made the web server computer to be trusted for delegation ... then you can use a service account instead. ...
      (microsoft.public.dotnet.security)
    • Re: Active Directory User Objects:
      ... anybody who has a valid AD account can ... > to use the delegation wizard to grant those rights to a helpdesk group. ... >> Is there a document that explains the permissions in active directory. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Admin Roles
      ... rights to do certain tasks. ... One account is a plain-vanilla, Domain User account they normally logon with, email, etc. ... Delegation of administration, a key capability of Active Directory, provides a means to successfully manage an Active Directory environment. ...
      (microsoft.public.windows.server.active_directory)
    • Quantcast