Re: IIS Delegation

From: Rainier (Rainier_at_discussions.microsoft.com)
Date: 08/12/05

  • Next message: Nikolai Evseev: "Can't determine if a file exists"
    Date: Fri, 12 Aug 2005 00:25:02 -0700
    
    

    Joe thanks,

    I read that we should do a lot of administrative works.
    I'm going to buy the book :-)

    Rainier

    "Joe Kaplan (MVP - ADSI)" wrote:

    > The worker process for ASP.NET needs to be a domain account that has rights
    > to delegate set in AD. You can't use a local machine account for the
    > process account, whether it is the ASPNET account or the local
    > administrator.
    >
    > You can use SYSTEM, which will run on the network as the machine account,
    > but that is bad from a security standpoint. It is better to create a low
    > privileged service account in AD to use. However, this account will also
    > need SPNs set so that it can delegate. The machine account has those by
    > default, but a service account will not.
    >
    > Keith Brown has good article on this in his book in a wiki at
    > www.pluralsight.com.
    >
    > Joe K.
    >
    >
    > "Rainier" <Rainier@discussions.microsoft.com> wrote in message
    > news:316191F0-5E3A-4CB5-AB10-9F6BDB2FBCDC@microsoft.com...
    > > I'm working in a IIS5.0 IE5 ASP.NET1.1 enviroment.
    > > I need delegarion, I have read that this should be posible using Kerbros.
    > >
    > > But how can I get Kerbros to work and how can I test it?
    > >
    > > Currently I've got code that does the following:
    > > System.Security.Principal.WindowsIdentity winId =
    > > System.Security.Principal.WindowsIdentity.GetCurrent();
    > >
    > > When I test for the authentication type:
    > > winId.AuthenticationType
    > > It will return 'NTLM'
    > >
    > > While winId.Name returns the correctly impersonated user. So impersonation
    > > works.
    > >
    > > Now the domain name *mydomain is registerd as local domain in IE.
    > > Users are logged on the domain and I'm running the ASPNET enviroment not
    > > under the default ASPNET user but under the administrator account. (This
    > > cause I found something about log on locally rights)
    > >
    > > I'm fresh out of ideas.
    > >
    > > Rainier.
    > >
    > >
    > >
    > >
    > >
    >
    >
    >


  • Next message: Nikolai Evseev: "Can't determine if a file exists"

    Relevant Pages

    • Re: Delegates do not work
      ... but this is how Entourage is supposed to work. ... The problem was in the delegate accoount settings and ... In Entourage, in account ... folder must be configure in Accounts/options/Public ...
      (microsoft.public.mac.office.entourage)
    • Re: Delegating Echange Full Admin Roghts
      ... rights to other accounts using an account that is already an Exchange Full ... admin), and trying to delegate Exchange Full admin rights to your account, ...
      (microsoft.public.exchange.admin)
    • Re: How does OU delegation work?
      ... A file system can contain two type of objects files and directories. ... When you delegate a group to have "Full Control" of computers objects, though, it doesn't imply that they will have admin rights on the actual computers those computer objects they represent, in the same way that delegating them "Full Control" of user accounts doesn't give them any extra right on the actual people (otherwise we would all be admins of the "hot blonds" OU right;) ). ... You can use a Restricted Groups setting in a GPO to achieve this or write a startup script that adds the account and link the GPO to the top level OU under which the departmental admins are kings. ...
      (microsoft.public.windows.group_policy)
    • Re: Cant establish a delegate - solution
      ... with the delegate problem. ... illustrates what needed to be done in my Exchange environment. ... field of Account settings for the Exchange account. ... I'm running Exchange Server 2003 on Windows Server 2003 with all service ...
      (microsoft.public.mac.office.entourage)
    • Re: Delegating Administration to a user.
      ... Again, get a DSACLS dump, there are so many ways this can be screwed up we could be guessing at things to check for a week. ... Joe Richards Microsoft MVP Windows Server Directory Services ... noticed that all the fields are greyed out not just the account boxes where lockout it located at. ... I did the delegate wizard in users and computers and the user can create the ...
      (microsoft.public.windows.server.active_directory)