Re: IIS Delegation

From: Rainier (Rainier_at_discussions.microsoft.com)
Date: 08/12/05

  • Next message: Nikolai Evseev: "Can't determine if a file exists"
    Date: Fri, 12 Aug 2005 00:25:02 -0700
    
    

    Joe thanks,

    I read that we should do a lot of administrative works.
    I'm going to buy the book :-)

    Rainier

    "Joe Kaplan (MVP - ADSI)" wrote:

    > The worker process for ASP.NET needs to be a domain account that has rights
    > to delegate set in AD. You can't use a local machine account for the
    > process account, whether it is the ASPNET account or the local
    > administrator.
    >
    > You can use SYSTEM, which will run on the network as the machine account,
    > but that is bad from a security standpoint. It is better to create a low
    > privileged service account in AD to use. However, this account will also
    > need SPNs set so that it can delegate. The machine account has those by
    > default, but a service account will not.
    >
    > Keith Brown has good article on this in his book in a wiki at
    > www.pluralsight.com.
    >
    > Joe K.
    >
    >
    > "Rainier" <Rainier@discussions.microsoft.com> wrote in message
    > news:316191F0-5E3A-4CB5-AB10-9F6BDB2FBCDC@microsoft.com...
    > > I'm working in a IIS5.0 IE5 ASP.NET1.1 enviroment.
    > > I need delegarion, I have read that this should be posible using Kerbros.
    > >
    > > But how can I get Kerbros to work and how can I test it?
    > >
    > > Currently I've got code that does the following:
    > > System.Security.Principal.WindowsIdentity winId =
    > > System.Security.Principal.WindowsIdentity.GetCurrent();
    > >
    > > When I test for the authentication type:
    > > winId.AuthenticationType
    > > It will return 'NTLM'
    > >
    > > While winId.Name returns the correctly impersonated user. So impersonation
    > > works.
    > >
    > > Now the domain name *mydomain is registerd as local domain in IE.
    > > Users are logged on the domain and I'm running the ASPNET enviroment not
    > > under the default ASPNET user but under the administrator account. (This
    > > cause I found something about log on locally rights)
    > >
    > > I'm fresh out of ideas.
    > >
    > > Rainier.
    > >
    > >
    > >
    > >
    > >
    >
    >
    >


  • Next message: Nikolai Evseev: "Can't determine if a file exists"