Re: IIS Delegation
From: Rainier (Rainier_at_discussions.microsoft.com)
Date: Fri, 12 Aug 2005 00:25:02 -0700
I read that we should do a lot of administrative works.
I'm going to buy the book :-)
"Joe Kaplan (MVP - ADSI)" wrote:
> The worker process for ASP.NET needs to be a domain account that has rights
> to delegate set in AD. You can't use a local machine account for the
> process account, whether it is the ASPNET account or the local
> You can use SYSTEM, which will run on the network as the machine account,
> but that is bad from a security standpoint. It is better to create a low
> privileged service account in AD to use. However, this account will also
> need SPNs set so that it can delegate. The machine account has those by
> default, but a service account will not.
> Keith Brown has good article on this in his book in a wiki at
> Joe K.
> "Rainier" <Rainier@discussions.microsoft.com> wrote in message
> > I'm working in a IIS5.0 IE5 ASP.NET1.1 enviroment.
> > I need delegarion, I have read that this should be posible using Kerbros.
> > But how can I get Kerbros to work and how can I test it?
> > Currently I've got code that does the following:
> > System.Security.Principal.WindowsIdentity winId =
> > System.Security.Principal.WindowsIdentity.GetCurrent();
> > When I test for the authentication type:
> > winId.AuthenticationType
> > It will return 'NTLM'
> > While winId.Name returns the correctly impersonated user. So impersonation
> > works.
> > Now the domain name *mydomain is registerd as local domain in IE.
> > Users are logged on the domain and I'm running the ASPNET enviroment not
> > under the default ASPNET user but under the administrator account. (This
> > cause I found something about log on locally rights)
> > I'm fresh out of ideas.
> > Rainier.