|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Kerberos and forms authenticationAs pr today the clients (IE 6) have used Integrated (NTLM) autentication against IIS running the presentation layer. Each layer is communicating with the next layer using WSE3 web services. We are using kerberos for delegated authentication through the tiers. This setup is a requirement (secure and authenticated communication from client throught the tiers down to the database and back (actually we are using a fixed SQL user at the lowest level). This setup is working fine, except that in order for a "user switch" the user has to actually logoff windows and the new user login. We are experimenting with switching to forms authentication on the presentation server allowing the "windows user" on the client to remain separate from the user logged on our application. Setting up form authentication is easy enough, and I though that by impersonating the user the delegated authentication would still work as before, but I was wrong. Any ideas if this is even possible? If so, any pointers on how to make this magic happen? ..NET Framework 2.0 IIS 6 on Windows 2003 MS SQL 2000 All users defined in MS Active Directory 2000 Microsoft WSE3.0 Clients are Internet Explorer 6 You should be able to get Kerberos authentication and use Kerberos with WSE3
by calling LogonUser. What parameters are you calling it with? If you enable auditing for logon events and look in the security event log, what type of logon is being performed for these users? Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- <paal.andreas***@gmail.com> wrote in message news:1151353968.609712.51790@y41g2000cwy.googlegroups.com... > We have a multi tier application spread over multiple servers. > As pr today the clients (IE 6) have used Integrated (NTLM) > autentication against IIS running the presentation layer. Each layer is > communicating with the next layer using WSE3 web services. We are using > kerberos for delegated authentication through the tiers. This setup is > a requirement (secure and authenticated communication from client > throught the tiers down to the database and back (actually we are using > a fixed SQL user at the lowest level). > > This setup is working fine, except that in order for a "user switch" > the user has to actually logoff windows and the new user login. We are > experimenting with switching to forms authentication on the > presentation server allowing the "windows user" on the client to remain > separate from the user logged on our application. > > Setting up form authentication is easy enough, and I though that by > impersonating the user the delegated authentication would still work as > before, but I was wrong. > > Any ideas if this is even possible? If so, any pointers on how to make > this magic happen? > > .NET Framework 2.0 > IIS 6 on Windows 2003 > MS SQL 2000 > All users defined in MS Active Directory 2000 > Microsoft WSE3.0 > Clients are Internet Explorer 6 > How are you impersonating the user ? You may run into a problem with the
kerberos ticket you are creating not being forwardable. If you use the LogonUser function from the network API and impersonate that user (using a user name and password0 the ticket from the impersonated user is forwardable, if you are using the windows identity constructor and passing in a upn for the user, the ticket is only forwardable if the process that called it has the permissison to create forwardable tokens (for example the system service). <paal.andreas***@gmail.com> wrote in message Show quoteHide quote news:1151353968.609712.51790@y41g2000cwy.googlegroups.com... > We have a multi tier application spread over multiple servers. > As pr today the clients (IE 6) have used Integrated (NTLM) > autentication against IIS running the presentation layer. Each layer is > communicating with the next layer using WSE3 web services. We are using > kerberos for delegated authentication through the tiers. This setup is > a requirement (secure and authenticated communication from client > throught the tiers down to the database and back (actually we are using > a fixed SQL user at the lowest level). > > This setup is working fine, except that in order for a "user switch" > the user has to actually logoff windows and the new user login. We are > experimenting with switching to forms authentication on the > presentation server allowing the "windows user" on the client to remain > separate from the user logged on our application. > > Setting up form authentication is easy enough, and I though that by > impersonating the user the delegated authentication would still work as > before, but I was wrong. > > Any ideas if this is even possible? If so, any pointers on how to make > this magic happen? > > .NET Framework 2.0 > IIS 6 on Windows 2003 > MS SQL 2000 > All users defined in MS Active Directory 2000 > Microsoft WSE3.0 > Clients are Internet Explorer 6 > I was trying to use the windows indentity and setting the Priciple on
the current executing thread. I'll look into LoginUser. Thanks for the tip. Robert Ginsburg wrote: Show quoteHide quote > How are you impersonating the user ? You may run into a problem with the > kerberos ticket you are creating not being forwardable. If you use the > LogonUser function from the network API and impersonate that user (using a > user name and password0 the ticket from the impersonated user is > forwardable, if you are using the windows identity constructor and passing > in a upn for the user, the ticket is only forwardable if the process that > called it has the permissison to create forwardable tokens (for example the > system service). > > > > > <paal.andreas***@gmail.com> wrote in message > news:1151353968.609712.51790@y41g2000cwy.googlegroups.com... > > We have a multi tier application spread over multiple servers. > > As pr today the clients (IE 6) have used Integrated (NTLM) > > autentication against IIS running the presentation layer. Each layer is > > communicating with the next layer using WSE3 web services. We are using > > kerberos for delegated authentication through the tiers. This setup is > > a requirement (secure and authenticated communication from client > > throught the tiers down to the database and back (actually we are using > > a fixed SQL user at the lowest level). > > > > This setup is working fine, except that in order for a "user switch" > > the user has to actually logoff windows and the new user login. We are > > experimenting with switching to forms authentication on the > > presentation server allowing the "windows user" on the client to remain > > separate from the user logged on our application. > > > > Setting up form authentication is easy enough, and I though that by > > impersonating the user the delegated authentication would still work as > > before, but I was wrong. > > > > Any ideas if this is even possible? If so, any pointers on how to make > > this magic happen? > > > > .NET Framework 2.0 > > IIS 6 on Windows 2003 > > MS SQL 2000 > > All users defined in MS Active Directory 2000 > > Microsoft WSE3.0 > > Clients are Internet Explorer 6 > > 
Other interesting topics
At What Point Does the Security Begin?
Need advise... Help : Access denied ??? Programmatically Install Certificate into Windows Certificate Store Bad Data with DES Decryption Active Directory and ASP.NET 2.0 IDentifiy user acl on a folder ???? permission for socket access Where to store log file ? Proxy server authentication |
|||||||||||||||||||||||
