|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Delegation across trusted domainsreponses... ------- I have some load balanced IIS servers, which get content and .NET applications from clustered file servers using UNC shares. The content within the shares are secured using NTFS file permissions. I've turned on delegation so that the IIS servers are allowed to delegate to the file servers, and this is working. We have a seperate (but trusted) domain, users from this domain have also been granted rights to the files on the file servers, however they are being denied access to the content through the IIS servers. I can only assume that the delegation is only working for users which are on the same domain as the servers? If it is not possible, this will seriously mess up how some of our applications work... so I'm hoping someone has a solution. Hello Paul,
as long as there is a path of trust between all parties - this should work. Make sure that Kerberos is used between browser and web server, e.g. by inspecting the security log - you should see a log on event for the client - the authentication package has to be Kerberos (instead of NTLM) - or use a sniffer like www.ethereal.com so see if Kerberos Service Ticket Requests are being made. For delegation to work you need Kerb auth all the way through. read more here: http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi, I've already posted this in a different group, but I've received > no reponses... > > ------- > > I have some load balanced IIS servers, which get content and .NET > applications from clustered file servers using UNC shares. The content > within the shares are secured using NTFS file permissions. I've turned > on delegation so that the IIS servers are allowed to delegate to the > file servers, and this is working. > > We have a seperate (but trusted) domain, users from this domain have > also been granted rights to the files on the file servers, however > they are being denied access to the content through the IIS servers. I > can only assume that the delegation is only working for users which > are on the same domain as the servers? > > If it is not possible, this will seriously mess up how some of our > applications work... so I'm hoping someone has a solution. > That must be the problem, I'm seeing NTLM as the authentication package. I've
tried some things from your security briefs, but the package is still NTLM... I can see this taking me a while! Show quoteHide quote "Dominick Baier [DevelopMentor]" wrote: > Hello Paul, > > as long as there is a path of trust between all parties - this should work. > > Make sure that Kerberos is used between browser and web server, e.g. by inspecting > the security log - you should see a log on event for the client - the authentication > package has to be Kerberos (instead of NTLM) - or use a sniffer like www.ethereal.com > so see if Kerberos Service Ticket Requests are being made. For delegation > to work you need Kerb auth all the way through. > > read more here: > http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Hi, I've already posted this in a different group, but I've received > > no reponses... > > > > ------- > > > > I have some load balanced IIS servers, which get content and .NET > > applications from clustered file servers using UNC shares. The content > > within the shares are secured using NTFS file permissions. I've turned > > on delegation so that the IIS servers are allowed to delegate to the > > file servers, and this is working. > > > > We have a seperate (but trusted) domain, users from this domain have > > also been granted rights to the files on the file servers, however > > they are being denied access to the content through the IIS servers. I > > can only assume that the delegation is only working for users which > > are on the same domain as the servers? > > > > If it is not possible, this will seriously mess up how some of our > > applications work... so I'm hoping someone has a solution. > > > > > 
Other interesting topics
Importance of salt
Anonymous access + Windows Authentication Strong Names Secure??? Windows authentication only xml based AzMan and ActiveDirectory Is WindowsPrincipal is Remotable ? Unable to run c++ .net executable from a network drive hooked to server Windows Security pops up when executing javascript in an asp.net p .NET 2.0: code access security / authentication Problems trying to write to Custom Eventlog |
|||||||||||||||||||||||
