Re: Delegation question
From: Garfield Lewis (galewis_at_SPAM-NO-MOREca.ibm.com)
Date: 01/25/05
- Next message: Inting: "Re: Socket with ssl support"
- Previous message: Shreeniwas Kelkar [MSFT]: "Re: Certutil -sign with more then one valid CA cert"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Jan 2005 19:35:57 -0500
Hi Joe,
The setup is fairly simple, we do not do anything special we simply have a
Win2K domain controller and 2 Win2K3 clients. I am not sure what the term
"constrained delegation" refers to and whether this can be done on a Win2K
DC/AD server. Looks like this will need to be reported through official
channels, I am just surprised no one else have seen this before.
Thx,
-- Garfield A. Lewis IBM Canada Laboratory "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:uifoWjkAFHA.2316@TK2MSFTNGP15.phx.gbl... > I'd suggest sending this one directly in to Microsoft PSS. I looked at your > question, but it wasn't immediately obvious to me what the problem was > (unless you are somehow using a 2K3 feature like constrained delegation or > something, but you didn't mention that before). The MS guys should be able > to tear this apart and give you a reasonable answer. > > Best of luck, > > Joe K. > > "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message > news:OjHybIkAFHA.2712@TK2MSFTNGP15.phx.gbl... > > Are there no takers on this question? Should I be asking this questoin on > > a > > different news group? > > > > -- > > Garfield A. Lewis > > IBM Canada Laboratory > > > > > > "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message > > news:eBpnx27$EHA.2584@TK2MSFTNGP09.phx.gbl... > >> Hi All, > >> > >> I am trying to figure out if some delegation issues I am seeing are > > working > >> as designed or is in fact a bug introduced by one or more of the security > >> patches that have been applied to Win2K. Here is the basic design of my > >> application. We have 2 client machines (CL1 and CL2 lets say) and a 3rd > >> machine which is a domain controller (DC). The client machines have been > >> setup in the domain so that they have been enabled for delegation. > >> > >> 1. on CL1 there is a network share called \\CL1\SHARE1 > >> 2. on CL2 I am running a named pipe server (NPS) that receives requests > > then > >> Impersonates the named pipe user (via the ImpersonateNamedPipeUser API) > > and > >> then runs the request from the user (using CreateProcessAsUser). > >> 3. on CL1 there is a client app that actually issues the request to the > > NPS > >> server on CL2 > >> 4. if I send the following request to across "dir \\CL1\SHARE1" I get the > >> following results: > >> > >> 1. If all 3 machines are all either Win2K or Win2K3 then everything works > >> 2. If the DC is Win2K and the 2 clients CL1 and CL2 are Win2K3 then I get > > an > >> error of "Access is denied" > >> > >> Since it all seems to work in a homogeneous environment I don't believe > > that > >> this is a generic setup problem. So it must be one of 2 things: > >> > >> 1. somehow the setup for a heterogeneous environment is somewhat > >> different > >> than for a homogeneous one and I just don't understand how to do this or > >> 2. one or more of the many patches applied to the Win2K domain controller > >> has now broken this feature because I am certain this worked before > > because > >> we have not upgraded our domain controllers to Win2K3 and our test team > > has > >> just began reporting this problem after the Christmas break. We have also > >> verified that it's not a Win2K3 patch that has broken this because we > >> also > >> tried and failed with 2 client Win2K3 machines having no patches at all > >> applied. We are trying to do the same with a Win2K domain controller but > >> have not gotten around to doing that as yet. > >> > >> Has anyone else seen this or know if this a know problem? > >> > >> BTW, if anyone from Microsoft is willing to look into this I can send > >> them > > a > >> testcase so they could run the tests themselves. There really isn't much > > to > >> reproducing this problem. > >> > >> Thx, > >> > >> -- > >> Garfield A. Lewis > >> IBM Canada Laboratory > >> > >> > > > > > >
- Next message: Inting: "Re: Socket with ssl support"
- Previous message: Shreeniwas Kelkar [MSFT]: "Re: Certutil -sign with more then one valid CA cert"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
