Re: Delegation across trusted domains

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 09/19/05 

Date: Mon, 19 Sep 2005 04:16:38 -0700

Hello Paul,

as long as there is a path of trust between all parties - this should work.

Make sure that Kerberos is used between browser and web server, e.g. by inspecting
the security log - you should see a log on event for the client - the authentication
package has to be Kerberos (instead of NTLM) - or use a sniffer like www.ethereal.com
so see if Kerberos Service Ticket Requests are being made. For delegation
to work you need Kerb auth all the way through.

read more here:
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi, I've already posted this in a different group, but I've received
> no reponses...
>
> -------
>
> I have some load balanced IIS servers, which get content and .NET
> applications from clustered file servers using UNC shares. The content
> within the shares are secured using NTFS file permissions. I've turned
> on delegation so that the IIS servers are allowed to delegate to the
> file servers, and this is working.
>
> We have a seperate (but trusted) domain, users from this domain have
> also been granted rights to the files on the file servers, however
> they are being denied access to the content through the IIS servers. I
> can only assume that the delegation is only working for users which
> are on the same domain as the servers?
>
> If it is not possible, this will seriously mess up how some of our
> applications work... so I'm hoping someone has a solution.
>

Relevant Pages

  • Re: Use ssh key to acquire TGT?
    ... process that takes a single password and gets multiple tickets from it. ... even if some of the servers don't use kerberos. ... keytab file to obtain AFS tickets automatically at sucessful login. ...
    (comp.protocols.kerberos)
  • Re: Using Kerberos in Windows 2000 Clustering
    ... Windows 2003 servers drop down to using LAN Manger authentication for ... the information about the cluster’s use of Kerberos and LM isn’t ... client can use this authentication method. ... Does the cluster software also drop down to using LM or will ...
    (microsoft.public.windows.server.clustering)
  • Re: HELP, I cannot figure this one out.......
    ... Make sure that w32time is running on all the servers and that one of them ... > Logon Failure: ... > Logon Process: Kerberos ... > Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Slow Logon Issue
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... It was not a port issue rather kerberos ... "There are currently no logon servers available to service the logon ...
    (microsoft.public.windows.server.active_directory)
  • Re: NTP authentication using kerberos
    ... Is it possible to use kerberos in authentication with an ntp server? ... In the handbook regarding kerberos (and nearly every other ... And so far I have only found simple key authentication similar to dhcp ... It's good for NTP servers, ...
    (freebsd-questions)