Re: NegotiateStream delegation issue (or a bug?)
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 11 May 2007 11:37:58 -0500
To access another service on a different machine using Kerberos, you can't
use the IP address because there won't be an SPN in AD that matches the IP
address, only the host name or DNS name. That would likely explain why you
can't get Kerberos auth and thus can't delegate. If you look on the remote
machine in the security event log (assuming logon audit events are enabled
for success and failure), you should see a logon for NT Authority\Anonymous
via NTLM. That's usually what happens when SPNEGO can't negotiate to Kerb
and uses NTLM instead.
The SPNs associated with file shares are either cifs/xxxxx or HOST/xxxxx.
HOST is an alias for a variety of different services. Those SPNs should be
set on the machine account for the server. Essentially, you should be able
to use whatever names in your share path that have registered SPNs, which by
default are the plain host name and the server's DNS domain name.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<DAXU@xxxxxxxxxxx> wrote in message
news:1178893306.728883.7240@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,
I use NegotiateStream to test Kerberos and delegation in my windows
2003 test domain. My code is this:
private static WindowsIdentity LogonUserTCPListen(string userName,
string domain, string password)
{
// need a full duplex stream - loopback is easiest way to
get that
TcpListener tcpListener = new
TcpListener(IPAddress.Loopback, 0);
tcpListener.Start();
WindowsIdentity id = null;
tcpListener.BeginAcceptTcpClient(delegate(IAsyncResult
asyncResult)
{
try
{
using (NegotiateStream serverSide = new
NegotiateStream(
tcpListener.EndAcceptTcpClient(asyncResult).GetStream()))
{
serverSide.AuthenticateAsServer(CredentialCache.DefaultNetworkCredentials,
ProtectionLevel.EncryptAndSign,
TokenImpersonationLevel.Delegation);
id =
(WindowsIdentity)serverSide.RemoteIdentity;
}
}
catch
{ id = null; }
}, null);
using (NegotiateStream clientSide = new
NegotiateStream(new TcpClient("localhost",
((IPEndPoint)tcpListener.LocalEndpoint).Port).GetStream()))
{
clientSide.AuthenticateAsClient(new
NetworkCredential(userName, password, domain),
"RAM/lab2-srv-2k3-8.test-lab2.local",
ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Delegation);
}
return id;
}
to use this function:
WindowsIdentity ID= LogonUserTCPListen("someuser, "test-lab2.local",
"8ik,7UJM");
using (WindowsImpersonationContext impersonationContext =
ID.Impersonate())
{
// ...
try
{
//not working
DirectoryInfo info = new DirectoryInfo(@"\
\10.10.10.7\home");
FileInfo[] infos = info.GetFiles();
MessageBox.Show(infos.Length.ToString());
}
catch (Exception ex)
{
MessageBox.Show(ex.GetBaseException().Message);
//works
DirectoryInfo info = new DirectoryInfo(@"\\lab2-
srv-2k3-7\home");
FileInfo[] infos = info.GetFiles();
MessageBox.Show(infos.Length.ToString());
}
finally
{
impersonationContext.Undo();
}
}
Kerberos and delegation (which means that I have set SPN right). ButFrom debugging mode, I can see that windowsIdentity ID is using
when I do impersonation, it can not access unc path "\
\10.10.10.7\home" which is on another machine. The error is access
denied. The most strangest thing is that if I put computer name there
instead of ip address in the UNC path, then it works.
Can someone give me some ideas?
Cheers,
Jerry
.
- Follow-Ups:
- Re: NegotiateStream delegation issue (or a bug?)
- From: Dominick Baier
- Re: NegotiateStream delegation issue (or a bug?)
- Prev by Date: Active Directory Membership Provider Configuration Error
- Next by Date: Re: NegotiateStream delegation issue (or a bug?)
- Previous by thread: Active Directory Membership Provider Configuration Error
- Next by thread: Re: NegotiateStream delegation issue (or a bug?)
- Index(es):
Relevant Pages
|
