Re: Delegation question
From: Garfield Lewis (galewis_at_SPAM-NO-MOREca.ibm.com)
Date: 01/27/05
- Next message: Eric Perlin [MS]: "Re: WlxDisplaySASNotice and remote desktop"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Jan 2005 19:44:28 -0500
I just got a call back from them and they are able to reproduce the problem
at their site using my testcase. However, they do not yet have a solution
but they believe it has something to do with the server trying to use NTLM
authentication instead of Kerberose in this setup. I will post when there is
a resolution to this problem.
Thx,
-- Garfield A. Lewis IBM Canada Laboratory "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:OiODKw$AFHA.3368@TK2MSFTNGP10.phx.gbl... > Gotcha. You've thought of everything I can. Please post back sometime and > let us know the PSS resolution. I'm very curious. > > Joe K. > > "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message > news:eUqogk$AFHA.3940@TK2MSFTNGP09.phx.gbl... > > Hi Joe, > > > > Thanks for your responses.. Mine are inserted inline below... > > > > -- > > Garfield A. Lewis > > IBM Canada Laboratory > > > > > > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote > > in message news:%23dStoO2AFHA.2012@TK2MSFTNGP15.phx.gbl... > >> Constrained delegation is a feature of AD 2003. Essentially, it allows > > you > >> to use Kerberos delegation, but instead of the "all or nothing" approach > >> that Win2K gave you, you can restrict delegation to specific services. > > I'm > >> no expert at constrained delegation by a long shot as I've never used it, > >> only read about. > >> > >> However, this does sound like a "regular" delegation problem. Just to > > make > >> sure I understand what's up here: > >> > >> ID1 on CL1 calls CL2 via named pipe > >> CL2 impersonates ID1 on CL2 to do some work > >> The work requested tries to access a network share on CL1 using an > >> impersonation level token on CL2 > >> > >> If that is the flow, then this could be a traditional "double-hop" issue. > > Yes your are correc this is a "double-hop" issue.... > >> The basis of the issue is that an impersonation level token (which is > >> what > >> you get when you impersonate the NP client) cannot travel or "hop" to a > >> different machine on the network unless Kerberos delegation is available. > > I have enabled the machines for delegation at the domain and also enabled > > the user for delegation and have made certain that account is sensitive > > and > > cannot be delegated setting is not set for this account.... > >> Typically, you have to enable delegation for either the user account > >> (ID1) > >> or the server has to be trusted for delegation (CL2). These settings are > >> both set in AD. > >> > >> Is it possible that your AD settings are slightly different? Are you > > using > >> the exact same process account for the NPS on CL2? > > Yes... also remember this works if the clients and DC are all Win2K or all > > Win2K3. The only time it fails is if the DC is Win2K and the clients (CL1 > > and CL2) are Win2K3 boxes. > >> > >> I'm sure there is someone on this group who can give you a few more > > pointers > >> here. You could try inspecting the access token's type and impersonation > >> level using the GetTokenInformation API to see if there are any key > >> differences. > > I've done some inspection of the token by viewing the process under > > "Process > > Explorer" and while there are some differences there doesn't seem to be > > anything that would cause this type of problems. > >> > >> My guess is that this isn't an AD version problem, but an issue with some > >> settings that make this whole thing work being slightly different. > >> > >> Hopefully that helps. If not, hopefully someone else jumps in or PSS can > >> bail you out. :) > > I've opened an incident with PSS and provided them with the testcase and > > they are looking into it now. Again thanks for the help.. > >> > >> Best of luck, > >> > >> Joe K. > >> > >> "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message > >> news:egzyBXnAFHA.1452@TK2MSFTNGP11.phx.gbl... > >> > Hi Joe, > >> > > >> > The setup is fairly simple, we do not do anything special we simply > >> > have > > a > >> > Win2K domain controller and 2 Win2K3 clients. I am not sure what the > > term > >> > "constrained delegation" refers to and whether this can be done on a > > Win2K > >> > DC/AD server. Looks like this will need to be reported through official > >> > channels, I am just surprised no one else have seen this before. > >> > > >> > Thx, > >> > -- > >> > Garfield A. Lewis > >> > IBM Canada Laboratory > >> > > >> > > >> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> > > wrote > >> > in message news:uifoWjkAFHA.2316@TK2MSFTNGP15.phx.gbl... > >> >> I'd suggest sending this one directly in to Microsoft PSS. I looked > >> >> at > >> > your > >> >> question, but it wasn't immediately obvious to me what the problem was > >> >> (unless you are somehow using a 2K3 feature like constrained > >> >> delegation > >> >> or > >> >> something, but you didn't mention that before). The MS guys should be > >> > able > >> >> to tear this apart and give you a reasonable answer. > >> >> > >> >> Best of luck, > >> >> > >> >> Joe K. > >> >> > >> >> "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message > >> >> news:OjHybIkAFHA.2712@TK2MSFTNGP15.phx.gbl... > >> >> > Are there no takers on this question? Should I be asking this > > questoin > >> > on > >> >> > a > >> >> > different news group? > >> >> > > >> >> > -- > >> >> > Garfield A. Lewis > >> >> > IBM Canada Laboratory > >> >> > > >> >> > > >> >> > "Garfield Lewis" <galewis@SPAM-NO-MOREca.ibm.com> wrote in message > >> >> > news:eBpnx27$EHA.2584@TK2MSFTNGP09.phx.gbl... > >> >> >> Hi All, > >> >> >> > >> >> >> I am trying to figure out if some delegation issues I am seeing are > >> >> > working > >> >> >> as designed or is in fact a bug introduced by one or more of the > >> > security > >> >> >> patches that have been applied to Win2K. Here is the basic design > >> >> >> of > >> >> >> my > >> >> >> application. We have 2 client machines (CL1 and CL2 lets say) and a > >> >> >> 3rd > >> >> >> machine which is a domain controller (DC). The client machines have > >> > been > >> >> >> setup in the domain so that they have been enabled for delegation. > >> >> >> > >> >> >> 1. on CL1 there is a network share called \\CL1\SHARE1 > >> >> >> 2. on CL2 I am running a named pipe server (NPS) that receives > >> >> >> requests > >> >> > then > >> >> >> Impersonates the named pipe user (via the ImpersonateNamedPipeUser > >> >> >> API) > >> >> > and > >> >> >> then runs the request from the user (using CreateProcessAsUser). > >> >> >> 3. on CL1 there is a client app that actually issues the request to > >> >> >> the > >> >> > NPS > >> >> >> server on CL2 > >> >> >> 4. if I send the following request to across "dir \\CL1\SHARE1" I > > get > >> > the > >> >> >> following results: > >> >> >> > >> >> >> 1. If all 3 machines are all either Win2K or Win2K3 then everything > >> > works > >> >> >> 2. If the DC is Win2K and the 2 clients CL1 and CL2 are Win2K3 then > > I > >> > get > >> >> > an > >> >> >> error of "Access is denied" > >> >> >> > >> >> >> Since it all seems to work in a homogeneous environment I don't > >> >> >> believe > >> >> > that > >> >> >> this is a generic setup problem. So it must be one of 2 things: > >> >> >> > >> >> >> 1. somehow the setup for a heterogeneous environment is somewhat > >> >> >> different > >> >> >> than for a homogeneous one and I just don't understand how to do > > this > >> > or > >> >> >> 2. one or more of the many patches applied to the Win2K domain > >> > controller > >> >> >> has now broken this feature because I am certain this worked before > >> >> > because > >> >> >> we have not upgraded our domain controllers to Win2K3 and our test > >> >> >> team > >> >> > has > >> >> >> just began reporting this problem after the Christmas break. We > >> >> >> have > >> > also > >> >> >> verified that it's not a Win2K3 patch that has broken this because > > we > >> >> >> also > >> >> >> tried and failed with 2 client Win2K3 machines having no patches at > >> >> >> all > >> >> >> applied. We are trying to do the same with a Win2K domain > >> >> >> controller > >> > but > >> >> >> have not gotten around to doing that as yet. > >> >> >> > >> >> >> Has anyone else seen this or know if this a know problem? > >> >> >> > >> >> >> BTW, if anyone from Microsoft is willing to look into this I can > > send > >> >> >> them > >> >> > a > >> >> >> testcase so they could run the tests themselves. There really isn't > >> > much > >> >> > to > >> >> >> reproducing this problem. > >> >> >> > >> >> >> Thx, > >> >> >> > >> >> >> -- > >> >> >> Garfield A. Lewis > >> >> >> IBM Canada Laboratory > >> >> >> > >> >> >> > >> >> > > >> >> > > >> >> > >> >> > >> > > >> > > >> > >> > > > > > >
- Next message: Eric Perlin [MS]: "Re: WlxDisplaySASNotice and remote desktop"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Delegation question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
