Re: UNC Virtual Directories; NTFS permission authentication not ac
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 6 Apr 2007 14:56:05 +1000
If you want Kerberos delegation to work, you need to have everything setup correctly end-to-end.
The browser must authenticate using Kerberos, which means that both IE must attempt Kerberos *and* the relevant server SPNs must be created/set correctly. In an NLB scenario, you'd need to run your worker process under a domain account, and register the virtual hostname that the end user is going to use as an SPN under that domain account. The following may be helpful in getting this working:
IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx
IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx
IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx
IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx
Cheers
Ken
"Jason Carter" <JasonCarter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:046E4A03-2444-4669-B199-B5A1A6B57870@xxxxxxxxxxxxxxxx
Every server is Windows 2003 R2 (web and file server).
I had delegation enabled on the web server to the file server for the HOST
and cifs services in a Windows 2003 native mode active directory.
I am interested in knowing what you think should have been done differently.
I am all for securing the data as much as possible, as long as it works.
Thank you for your response.
"David Wang" wrote:
While I am happy that you have found a solution to your situation, I
have to say that Delegation is NOT the problem. And using Basic over
SSL is NOT necessarily the correct solution.
Basic over SSL is basically the "I give up because I don't understand
delegation" solution because it is insecure, though in your situation
you are using a non-important ConnectAs user whose delegation
properties you do not need to secure.
In other words, Basic/SSL is a passable workaround for your needs, but
it is definitely not the correct solution for the general issue of
delegation which surfaces as soon as you want users to use your web
server to access resources on another server.
What OS is providing the CIFS file services?
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Apr 5, 1:56 pm, Jason Carter
<JasonCar...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Just an update here, I found a solution, though it is not what I > expected.
>
> Everything I read said that I needed to add the Delegation rights from > the
> web server to the file server (HOST and cifs). This turned out to be > the
> problem. Once I removed those delegation rights AND removed the > Integrated
> Windows Authentication option (leaving only Basic Authentication > checked) the
> system worked like it I had hoped, authenticating based on the NTFS
> permissions of the folder the UNC path was pointing to.
>
> This works fine for me since the SSL is required on all connections.
>
> Thanks to anyone who took a look at this and tried to help!!
>
>
>
> "Jason Carter" wrote:
> > This one is driving me crazy. Here is the environment:
>
> > I have one web server, Windows 2003 R2; IIS 6.0, and a files server > > running
> > Windows 2003 R2. Both servers are part of a Windows 2003 native > > Active
> > Directory domain.
>
> > Virtual directories have been created on the web server pointing to a > > UNC
> > share: \\hrfile1\https clients\xxxx. Permissions on the https clients > > share
> > and the xxxx directory are locked down using NTFS permissions and the > > virtual
> > directory is setup with a "connect as" username or password instead > > asking
> > for credentails. SSL is required, anonymous access is unchecked, > > integrated
> > Windows authentication is checked. In addition, hrweb1 is setup for
> > delegation to hrfile1 for the HOST can cifs services.
>
> > The problem I have is that every time I access the site I am prompted > > for my
> > username and password, but even though I enter an username/password > > that is
> > authorized, the login screen keeps popping back up. I have created > > test
> > directories where share and NTFS permissions are set to EVERYONE - > > Full
> > control and still get prompted over and over for credentials.
>
> > If I use the "connect as" option, I am prompted for creditails and > > allowed
> > in, but once in I can browse to any folder, even ones that I am not > > allowed
> > access to, so that is not an option.
>
> > If anyone can help me out, I would really appreciate it.
>
> > It may not matter, but the web server is part of a network load > > balanced
> > system, though I am not testing with the nlb address, just the local > > address
> > on one system.- Hide quoted text -
>
> - Show quoted text -
.
- References:
- Re: UNC Virtual Directories; NTFS permission authentication not accept
- From: David Wang
- Re: UNC Virtual Directories; NTFS permission authentication not ac
- From: Jason Carter
- Re: UNC Virtual Directories; NTFS permission authentication not accept
- Prev by Date: Re: UNC Virtual Directories; NTFS permission authentication not ac
- Next by Date: Re: Convert Self-Signed Certificate?
- Previous by thread: Re: UNC Virtual Directories; NTFS permission authentication not ac
- Index(es):
Relevant Pages
|
