Re: Serializing credentials and reauthenticating. How?

If you need to call the IIS server using integrated authentication and have
some control over the proxy client that the ALSB uses to call IIS, then you
could probably make this work. However, it would be much easier to use
Kerberos S4U and constrained delegation to accomplish this. S4U allows you
to generate a Kerb ticket for a user given only their username and
constrained delegation allows you to impersonate that token locally so that
you can use it to access another resource on the network. Using an approach
like this allows the IIS server to just receive normal Kerberos
authentication and is thus much cleaner. You would just need the user's
username as input, so you would likely pass that through a SOAP header. You
would need to decide if you wanted to include any additional
authentication/authorization into the proxy client itself.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Gatecrasher" <Gatecrasher@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:563D718F-B194-4585-987F-C4555939B8F6@xxxxxxxxxxxxxxxx
Can this be done in some way?

I have a .NET client.
I have an Aqualogic Service Bus (ALSB)
I have an IIS server

I am calling a Web Service on ALSB which goes on to call Web Service on
IIS

The ALSB is configured with ANON security to avoid a credential store
IIS is configured ANON because NTLM, Kerberos is bounced by ALSB and there
is no impersonation in ALSB

I want to be sure the original caller is logged into the domain when we
get
to IIS. I want to do the following.

Get the Current Users Kerberos ticket (they are logged onto a domain)
Serialize this token and put into SOAP Header as an encoded string (or
something). This passes all the way to IIS untouched
A HTTP extension on IIS de-serializes ticket and checks it is still valid
against DC

Can this or something similar be achieved?

I don't want to change security settings or introduce extra servers, like
ADFS.

Cliff



.

Relevant Pages

  • Re: Serializing credentials and reauthenticating. How?
    ... My skills in ALSB are such that tweaking its proxy is beyond me! ... I have already passed the user name from client to IIS in a SOAP header. ...
    (microsoft.public.dotnet.security)
  • Serializing credentials and reauthenticating. How?
    ... I have an IIS server ... I am calling a Web Service on ALSB which goes on to call Web Service on IIS ... Get the Current Users Kerberos ticket ...
    (microsoft.public.dotnet.security)
  • Re: Serializing credentials and reauthenticating. How?
    ... if your calling process is trusted for delegation with any protocol in AD ... In IIS, to get Kerberos you need to enable IWA auth and ensure the metabase ... We may go SSL/Basic from client to ALSB. ...
    (microsoft.public.dotnet.security)
  • Re: Serializing credentials and reauthenticating. How?
    ... I could create a web service on an NTLM protected IIS box and issue a GUID ... We may go SSL/Basic from client to ALSB. ... like this allows the IIS server to just receive normal Kerberos ...
    (microsoft.public.dotnet.security)
  • Re: IISADMPWD solution for AD expired password ?
    ... International users have accounts in our AD BUT they never open a session in this domain. ... the users will have to connect to a IIS Website with iisadmpwd installed.. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... you said that users must have the right to authenticate with an expired password. ...
    (microsoft.public.windows.server.security)