Re: IIS security problem

From: Brjann Brekkan (bbrekkan@hotmail.com)
Date: 10/30/02


From: "Brjann Brekkan" <bbrekkan@hotmail.com>
Date: Wed, 30 Oct 2002 22:48:27 +0100


This is a problem with how the user logs on and where the Access Token is
created.
 The Access Token can only make one hop! From Client machine to Webserver or
from Webserver to AD server. This means that when you logon to your machine
you will create your token and then when you access web server with
integrated authentication that Token is presented to the webserver and
you're logged on based on that info. Now you want to use your credentials to
update records in AD but when the Webserver can't use your token to access
the AD Server.
Solution is to use Basic Authentication because the Access Token is created
on the webserver when it receives your username and password. The Server can
then use your Access Token to access AD Server.

Solution nr 2 is to use Kerberos Delegation, if all machines in this
solution are part of the AD and the User account is a member of that domain
you could use this technique. I havenīt tested this in a long time but what
I can remember is that the Webserver must be set to "Trusted for Delegation"
in AD Users and Computers. What I can't remember is if you have to change
that setting on the user accounts as well.

Hope this helps

Brjann Brekkan

"Alexander" <rotbart@nana.co.il> wrote in message
news:c762acc5.0210280751.3eb4650e@posting.google.com...
> I build WEB application that searches and updates for Active Directory
> Users Data. Every logged in user can update himself.
> Now the problem:
> I do not familiar with IIS security engine. There are 3 possible
> security settings at IIS:
>
> -Basic authentication
> -Digest authentication
> -Integrated Windows Authentication
>
> The second option does not fit because of W2K limitation.
> If I use the "basic" security option, user CAN update his personal
> details, but before he starts the application a popup window rises and
> user need to enter his credentials.
> I do not want this popup , and I set Integrated Windows Authentication
> option. But at this time user CANNOT update his personal details
> !!!!!!!!!
>
> What can I do and why the problem rises ?????