Re: Double Hop Issue

Joe,

Thank you so much for your reply; I have had this same suspicion while dealing with this issue.
I have been searching for details on this from a source other than my experience in this area.

If you have any good 'links' in the area of my problem, could you please share them with me so I can get some useful reading and reference materials?

Mr. Smith
Systems Administrator
http://www.jermsmit.com/



"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:OE2d0$06IHA.5292@xxxxxxxxxxxxxxxxxxxxxxx
Normally, you use Kerberos delegation to build a solution to double-hop issues, so that is likely how you got the double hop working.

Unfortunately, non-domain member workstations cannot perform Kerberos authentication, so that's likely why you see the problems you see. They will do NTLM authentication instead. NTLM will work locally but fail when delegation is attempted.

You may be able to use protocol transition logon and Kerberos constrained delegation to work around this issue, assuming that your AD is 2003 FFL or higher and your servers are all 2003 or higher. Otherwise, you'll need to get these non-domain workstations domain joined.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Mr. Smith" <mr.smith@xxxxxxxxxxxxxxxxxx> wrote in message news:%23NN2OS06IHA.1204@xxxxxxxxxxxxxxxxxxxxxxx


Hello all I am trying to understand what might be wrong here so if someone could point me in the correct direction I would gladly appreciate it.

Issue: Computers which are not members of active directory having issues when access sites which pass authentication information to other servers.

My Description: Users access my SharePoint site where links are setup to perform a "double -hop" to another server such as CRM. These sites are all hosted internally and seem to work just fine.
However, we a non domain user tried to access the site in the same manner they are propped for domain user / password. Password information is entered by the user and they can browse SharePoint just fine so it seems, but when they try to access the link which should pass their security over to the CRM server it fails with an anonymous user logon failure.

Question: Why does this happen, what can I do to correct this outside of adding that computer to the domain. And is there any KB out there which covers this?

Thanks for any help you all might provide

Mr. Smith
Systems Administrator






.

Relevant Pages

  • W2K/W2K3 Authentication
    ... I work in a mixed NOVELL/Windows environment running the W2K/W2K3 servers. ... Novell's eDirectory is our directory services not AD. ... to do is use a NOVELL NMAS (Novell Modular Authentication Services) server to ...
    (microsoft.public.win2000.networking)
  • Re: dns host name issue
    ... Paul Bergson ... MVP - Directory Services ... Can you do an nslookup against both dns servers and see what the ...
    (microsoft.public.windows.server.dns)
  • Re: PATH is lost when loggin into a domain
    ... MVP - Directory Services ... Please no e-mails, any questions should be posted in the NewsGroup This ... But this way I'll have to do it for each domain user than logs in, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Move AD Objects from one 2000 DC to a 2003 DC
    ... Microsoft MVP - Directory Services ... > HOW do we move the objects from the 2000 servers to the 2003 servers all ... Can we have 2 separate AD schemas for the ... > 2000 DCs then import on the 2003 DCs? ...
    (microsoft.public.win2000.active_directory)
  • Scheduled task
    ... Xp machine, Win 2000 servers ... A task scheduled with the domain user id and password for ... the domain authentication fails on an Xp machine. ... granted the requested logon type at this computer. ...
    (microsoft.public.windowsxp.security_admin)