Re: Delegation question

From: Garfield Lewis (galewis_at_SPAM-NO-MOREca.ibm.com)
Date: 01/26/05 

Date: Wed, 26 Jan 2005 17:48:53 -0500

Hi Joe,

Thanks for your responses.. Mine are inserted inline below... 

-- 
Garfield A. Lewis
IBM Canada Laboratory
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23dStoO2AFHA.2012@TK2MSFTNGP15.phx.gbl...
> Constrained delegation is a feature of AD 2003.  Essentially, it allows
you
> to use Kerberos delegation, but instead of the "all or nothing" approach
> that Win2K gave you, you can restrict delegation to specific services.
I'm
> no expert at constrained delegation by a long shot as I've never used it,
> only read about.
>
> However, this does sound like a "regular" delegation problem.  Just to
make
> sure I understand what's up here:
>
> ID1 on CL1 calls CL2 via named pipe
> CL2 impersonates ID1 on CL2 to do some work
> The work requested tries to access a network share on CL1 using an
> impersonation level token on CL2
>
> If that is the flow, then this could be a traditional "double-hop" issue.
Yes your are correc this is a "double-hop" issue....
> The basis of the issue is that an impersonation level token (which is what
> you get when you impersonate the NP client) cannot travel or "hop" to a
> different machine on the network unless Kerberos delegation is available.
I have enabled the machines for delegation at the domain and also enabled
the user for delegation and have made certain that account is sensitive and
cannot be delegated setting is not set for this account....
> Typically, you have to enable delegation for either the user account (ID1)
> or the server has to be trusted for delegation (CL2).  These settings are
> both set in AD.
>
> Is it possible that your AD settings are slightly different?  Are you
using
> the exact same process account for the NPS on CL2?
Yes... also remember this works if the clients and DC are all Win2K or all
Win2K3. The only time it fails is if the DC is Win2K and the clients (CL1
and CL2) are Win2K3 boxes.
>
> I'm sure there is someone on this group who can give you a few more
pointers
> here.  You could try inspecting the access token's type and impersonation
> level using the GetTokenInformation API to see if there are any key
> differences.
I've done some inspection of the token by viewing the process under "Process
Explorer" and while there are some differences there doesn't seem to be
anything that would cause this type of problems.
>
> My guess is that this isn't an AD version problem, but an issue with some
> settings that make this whole thing work being slightly different.
>
> Hopefully that helps.  If not, hopefully someone else jumps in or PSS can
> bail you out. :)
I've opened an incident with PSS and provided them with the testcase and
they are looking into it now. Again thanks for the help..
>
> Best of luck,
>
> Joe K.
>
> "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message
> news:egzyBXnAFHA.1452@TK2MSFTNGP11.phx.gbl...
> > Hi Joe,
> >
> > The setup is fairly simple, we do not do anything special we simply have
a
> > Win2K domain controller and 2 Win2K3 clients. I am not sure what the
term
> > "constrained delegation" refers to and whether this can be done on a
Win2K
> > DC/AD server. Looks like this will need to be reported through official
> > channels, I am just surprised no one else have seen this before.
> >
> > Thx,
> > -- 
> > Garfield A. Lewis
> > IBM Canada Laboratory
> >
> >
> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
wrote
> > in message news:uifoWjkAFHA.2316@TK2MSFTNGP15.phx.gbl...
> >> I'd suggest sending this one directly in to Microsoft PSS.  I looked at
> > your
> >> question, but it wasn't immediately obvious to me what the problem was
> >> (unless you are somehow using a 2K3 feature like constrained delegation
> >> or
> >> something, but you didn't mention that before).  The MS guys should be
> > able
> >> to tear this apart and give you a reasonable answer.
> >>
> >> Best of luck,
> >>
> >> Joe K.
> >>
> >> "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message
> >> news:OjHybIkAFHA.2712@TK2MSFTNGP15.phx.gbl...
> >> > Are there no takers on this question? Should I be asking this
questoin
> > on
> >> > a
> >> > different news group?
> >> >
> >> > -- 
> >> > Garfield A. Lewis
> >> > IBM Canada Laboratory
> >> >
> >> >
> >> > "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message
> >> > news:eBpnx27$EHA.2584@TK2MSFTNGP09.phx.gbl...
> >> >> Hi All,
> >> >>
> >> >> I am trying to figure out if some delegation issues I am seeing are
> >> > working
> >> >> as designed or is in fact a bug introduced by one or more of the
> > security
> >> >> patches that have been applied to Win2K. Here is the basic design of
> >> >> my
> >> >> application. We have 2 client machines (CL1 and CL2 lets say) and a
> >> >> 3rd
> >> >> machine which is a domain controller (DC). The client machines have
> > been
> >> >> setup in the domain so that they have been enabled for delegation.
> >> >>
> >> >> 1. on CL1 there is a network share called \\CL1\SHARE1
> >> >> 2. on CL2 I am running a named pipe server (NPS) that receives
> >> >> requests
> >> > then
> >> >> Impersonates the named pipe user (via the ImpersonateNamedPipeUser
> >> >> API)
> >> > and
> >> >> then runs the request from the user (using CreateProcessAsUser).
> >> >> 3. on CL1 there is a client app that actually issues the request to
> >> >> the
> >> > NPS
> >> >> server on CL2
> >> >> 4. if I send the following request to across "dir \\CL1\SHARE1" I
get
> > the
> >> >> following results:
> >> >>
> >> >> 1. If all 3 machines are all either Win2K or Win2K3 then everything
> > works
> >> >> 2. If the DC is Win2K and the 2 clients CL1 and CL2 are Win2K3 then
I
> > get
> >> > an
> >> >> error of  "Access is denied"
> >> >>
> >> >> Since it all seems to work in a homogeneous environment I don't
> >> >> believe
> >> > that
> >> >> this is a generic setup problem. So it must be one of 2 things:
> >> >>
> >> >> 1. somehow the setup for a heterogeneous environment is somewhat
> >> >> different
> >> >> than for a homogeneous one and I just don't understand how to do
this
> > or
> >> >> 2. one or more of the many patches applied to the Win2K domain
> > controller
> >> >> has now broken this feature because I am certain this worked before
> >> > because
> >> >> we have not upgraded our domain controllers to Win2K3 and our test
> >> >> team
> >> > has
> >> >> just began reporting this problem after the Christmas break. We have
> > also
> >> >> verified that it's not a Win2K3 patch that has broken this because
we
> >> >> also
> >> >> tried and failed with 2 client Win2K3 machines having no patches at
> >> >> all
> >> >> applied. We are trying to do the same with a Win2K domain controller
> > but
> >> >> have not gotten around to doing that as yet.
> >> >>
> >> >> Has anyone else seen this or know if this a know problem?
> >> >>
> >> >> BTW, if anyone from Microsoft is willing to look into this I can
send
> >> >> them
> >> > a
> >> >> testcase so they could run the tests themselves. There really isn't
> > much
> >> > to
> >> >> reproducing this problem.
> >> >>
> >> >> Thx,
> >> >>
> >> >> -- 
> >> >> Garfield A. Lewis
> >> >> IBM Canada Laboratory
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Relevant Pages