|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS DelegationI need delegarion, I have read that this should be posible using Kerbros. But how can I get Kerbros to work and how can I test it? Currently I've got code that does the following: System.Security.Principal.WindowsIdentity winId = System.Security.Principal.WindowsIdentity.GetCurrent(); When I test for the authentication type: winId.AuthenticationType It will return 'NTLM' While winId.Name returns the correctly impersonated user. So impersonation works. Now the domain name *mydomain is registerd as local domain in IE. Users are logged on the domain and I'm running the ASPNET enviroment not under the default ASPNET user but under the administrator account. (This cause I found something about log on locally rights) I'm fresh out of ideas. Rainier. The worker process for ASP.NET needs to be a domain account that has rights
to delegate set in AD. You can't use a local machine account for the process account, whether it is the ASPNET account or the local administrator. You can use SYSTEM, which will run on the network as the machine account, but that is bad from a security standpoint. It is better to create a low privileged service account in AD to use. However, this account will also need SPNs set so that it can delegate. The machine account has those by default, but a service account will not. Keith Brown has good article on this in his book in a wiki at www.pluralsight.com. Joe K. Show quoteHide quote "Rainier" <Rain***@discussions.microsoft.com> wrote in message news:316191F0-5E3A-4CB5-AB10-9F6BDB2FBCDC@microsoft.com... > I'm working in a IIS5.0 IE5 ASP.NET1.1 enviroment. > I need delegarion, I have read that this should be posible using Kerbros. > > But how can I get Kerbros to work and how can I test it? > > Currently I've got code that does the following: > System.Security.Principal.WindowsIdentity winId = > System.Security.Principal.WindowsIdentity.GetCurrent(); > > When I test for the authentication type: > winId.AuthenticationType > It will return 'NTLM' > > While winId.Name returns the correctly impersonated user. So impersonation > works. > > Now the domain name *mydomain is registerd as local domain in IE. > Users are logged on the domain and I'm running the ASPNET enviroment not > under the default ASPNET user but under the administrator account. (This > cause I found something about log on locally rights) > > I'm fresh out of ideas. > > Rainier. > > > > > Joe thanks,
I read that we should do a lot of administrative works. I'm going to buy the book :-) Rainier Show quoteHide quote "Joe Kaplan (MVP - ADSI)" wrote: > The worker process for ASP.NET needs to be a domain account that has rights > to delegate set in AD. You can't use a local machine account for the > process account, whether it is the ASPNET account or the local > administrator. > > You can use SYSTEM, which will run on the network as the machine account, > but that is bad from a security standpoint. It is better to create a low > privileged service account in AD to use. However, this account will also > need SPNs set so that it can delegate. The machine account has those by > default, but a service account will not. > > Keith Brown has good article on this in his book in a wiki at > www.pluralsight.com. > > Joe K. > > > "Rainier" <Rain***@discussions.microsoft.com> wrote in message > news:316191F0-5E3A-4CB5-AB10-9F6BDB2FBCDC@microsoft.com... > > I'm working in a IIS5.0 IE5 ASP.NET1.1 enviroment. > > I need delegarion, I have read that this should be posible using Kerbros. > > > > But how can I get Kerbros to work and how can I test it? > > > > Currently I've got code that does the following: > > System.Security.Principal.WindowsIdentity winId = > > System.Security.Principal.WindowsIdentity.GetCurrent(); > > > > When I test for the authentication type: > > winId.AuthenticationType > > It will return 'NTLM' > > > > While winId.Name returns the correctly impersonated user. So impersonation > > works. > > > > Now the domain name *mydomain is registerd as local domain in IE. > > Users are logged on the domain and I'm running the ASPNET enviroment not > > under the default ASPNET user but under the administrator account. (This > > cause I found something about log on locally rights) > > > > I'm fresh out of ideas. > > > > Rainier. > > > > > > > > > > > > > Keith will certainly appreciate that. The book is great and will teach you
lots of good stuff. Totally worthwhile. :) Joe K. Show quoteHide quote "Rainier" <Rain***@discussions.microsoft.com> wrote in message news:FA07730F-BBD6-4EED-84AE-926162283AF7@microsoft.com... > Joe thanks, > > I read that we should do a lot of administrative works. > I'm going to buy the book :-) > > Rainier > > > "Joe Kaplan (MVP - ADSI)" wrote: > >> The worker process for ASP.NET needs to be a domain account that has >> rights >> to delegate set in AD. You can't use a local machine account for the >> process account, whether it is the ASPNET account or the local >> administrator. >> >> You can use SYSTEM, which will run on the network as the machine account, >> but that is bad from a security standpoint. It is better to create a low >> privileged service account in AD to use. However, this account will also >> need SPNs set so that it can delegate. The machine account has those by >> default, but a service account will not. >> >> Keith Brown has good article on this in his book in a wiki at >> www.pluralsight.com. >> >> Joe K. >> >> >> "Rainier" <Rain***@discussions.microsoft.com> wrote in message >> news:316191F0-5E3A-4CB5-AB10-9F6BDB2FBCDC@microsoft.com... >> > I'm working in a IIS5.0 IE5 ASP.NET1.1 enviroment. >> > I need delegarion, I have read that this should be posible using >> > Kerbros. >> > >> > But how can I get Kerbros to work and how can I test it? >> > >> > Currently I've got code that does the following: >> > System.Security.Principal.WindowsIdentity winId = >> > System.Security.Principal.WindowsIdentity.GetCurrent(); >> > >> > When I test for the authentication type: >> > winId.AuthenticationType >> > It will return 'NTLM' >> > >> > While winId.Name returns the correctly impersonated user. So >> > impersonation >> > works. >> > >> > Now the domain name *mydomain is registerd as local domain in IE. >> > Users are logged on the domain and I'm running the ASPNET enviroment >> > not >> > under the default ASPNET user but under the administrator account. >> > (This >> > cause I found something about log on locally rights) >> > >> > I'm fresh out of ideas. >> > >> > Rainier. >> > >> > >> > >> > >> > >> >> >> On Thu, 11 Aug 2005 07:29:11 -0700, "Rainier" <Rain***@discussions.microsoft.com> wrote: ¤ I'm working in a IIS5.0 IE5 ASP.NET1.1 enviroment.¤ I need delegarion, I have read that this should be posible using Kerbros. ¤ ¤ But how can I get Kerbros to work and how can I test it? ¤ ¤ Currently I've got code that does the following: ¤ System.Security.Principal.WindowsIdentity winId = ¤ System.Security.Principal.WindowsIdentity.GetCurrent(); ¤ ¤ When I test for the authentication type: ¤ winId.AuthenticationType ¤ It will return 'NTLM' ¤ ¤ While winId.Name returns the correctly impersonated user. So impersonation ¤ works. ¤ ¤ Now the domain name *mydomain is registerd as local domain in IE. ¤ Users are logged on the domain and I'm running the ASPNET enviroment not ¤ under the default ASPNET user but under the administrator account. (This ¤ cause I found something about log on locally rights) ¤ ¤ I'm fresh out of ideas. The following may help: How to configure an ASP.NET application for a delegation scenario http://support.microsoft.com/default.aspx?scid=kb;en-us;810572 Paul ~~~~ Microsoft MVP (Visual Basic) 
Other interesting topics
X509 digital certificate for offline solution
MD5 or SHA1 or ??? How to send certificate for client authentication? String to byte[] & back using Base64 Create an Event Log on a Least Privilege User Account Bad Data error in DES encryption Securing a control assembly against use of foreign assemblies Extra '\0' chars after decryption How to impersonate while creating a User via System.DirectoryServi how to detect who redirects traffic to a aspx page? is this info passed along in request object or c |
|||||||||||||||||||||||
