Re: Double Hop Issue

Normally, you use Kerberos delegation to build a solution to double-hop
issues, so that is likely how you got the double hop working.

Unfortunately, non-domain member workstations cannot perform Kerberos
authentication, so that's likely why you see the problems you see. They
will do NTLM authentication instead. NTLM will work locally but fail when
delegation is attempted.

You may be able to use protocol transition logon and Kerberos constrained
delegation to work around this issue, assuming that your AD is 2003 FFL or
higher and your servers are all 2003 or higher. Otherwise, you'll need to
get these non-domain workstations domain joined.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Mr. Smith" <mr.smith@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23NN2OS06IHA.1204@xxxxxxxxxxxxxxxxxxxxxxx


Hello all I am trying to understand what might be wrong here so if someone
could point me in the correct direction I would gladly appreciate it.

Issue: Computers which are not members of active directory having issues
when access sites which pass authentication information to other servers.

My Description: Users access my SharePoint site where links are setup to
perform a "double -hop" to another server such as CRM. These sites are
all hosted internally and seem to work just fine.
However, we a non domain user tried to access the site in the same manner
they are propped for domain user / password. Password information is
entered by the user and they can browse SharePoint just fine so it seems,
but when they try to access the link which should pass their security over
to the CRM server it fails with an anonymous user logon failure.

Question: Why does this happen, what can I do to correct this outside of
adding that computer to the domain. And is there any KB out there which
covers this?

Thanks for any help you all might provide

Mr. Smith
Systems Administrator





.

Relevant Pages

  • Re: Double Hop Issue
    ... Kerberos delegation, constrained delegation and protocol transition up on ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... non-domain member workstations cannot perform Kerberos ... we a non domain user tried to access the site in the same ...
    (microsoft.public.windows.server.security)
  • Re: Principal flowing and caching
    ... This is SO much easier to do with Windows auth. ... you just get Kerberos auth working and enable delegation and it ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: UserName and Kerberos tokens at the same time
    ... > What makes me feeling a bit strange is that the WSE 3.0 Kerberos demo also ... Are you logon the computer as a domain user when running the ... I have tried it on a Windows 2003 server as well and there I get the ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Cant get Impersonation / delegation to work
    ... the service needs to be trusted for delegation with "any protocol" ... app to Kerberos when you need to delegate to the back end. ... Make sure you have the proper SPN set on the account running the service ... allow connection to a remote SQL Server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Access denied. delegation scenario accessing to a shared resource in cluster
    ... Depending on how your web server is configured ... for delegation, ... application via Kerberos too. ... web server and the cluster server and find out what kind of authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)