Re: making a Web Request from my server

Thanks for your reply MC,

Yes, kerberos would be one possible approach for double hop cases. However,
it is quite complex and tight coupled for you to involve kerberos
delegation in your distributed environment. You need to perform configure
from client to webserver to the backend server(the domain account, server
machine principal accounts...).

If you do want a try, you can have a look at the following reference about
using and troubleshooting kerberos delegation cases:

#How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/kb/810572

#Troubleshooting Kerberos Delegation
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/tkerbdel.mspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
Date: Wed, 09 Jan 2008 12:03:47 +0000
From: mc <mc@xxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.dotnet.framework.aspnet
Subject: Re: making a Web Request from my server


Sorry this one dropped off my radar slightly.

I'm aware of the Double hop issue and thought I had it covered, we
currently authenticate via the
same server against remote databases as the impersonated user fine.

If we assume (and I know it's a big assumption) that I've got the kerberos
setting of the
originating web server correct. Would I need to reconfigure the servers
That I'm connecting to?

This is now a purely academic question as it's unlikely that I will have
the time (and funding) to
compete as planned.

The interim solution was to open a raw TCP/IP socket to port 80, if it
fails assume the system is
down. This is mostly successful but doesn't deal with an app pool that has
been suspend as that
still accepts connections.


Steven Cheng[MSFT] wrote:
Hi MC,

Any progress on this issue? If there is anything else we can help,
please
feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------


.

Relevant Pages

  • Re: Cant get Impersonation / delegation to work
    ... the service needs to be trusted for delegation with "any protocol" ... app to Kerberos when you need to delegate to the back end. ... Make sure you have the proper SPN set on the account running the service ... allow connection to a remote SQL Server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Access denied. delegation scenario accessing to a shared resource in cluster
    ... Depending on how your web server is configured ... for delegation, ... application via Kerberos too. ... web server and the cluster server and find out what kind of authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: UNC Virtual Directories; NTFS permission authentication not ac
    ... If you want Kerberos delegation to work, you need to have everything setup correctly end-to-end. ... The browser must authenticate using Kerberos, which means that both IE must attempt Kerberos *and* the relevant server SPNs must be created/set correctly. ... > Windows Authentication option the ...
    (microsoft.public.inetserver.iis.security)
  • Re: Principal flowing and caching
    ... This is SO much easier to do with Windows auth. ... you just get Kerberos auth working and enable delegation and it ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Cross Forest Authentication
    ... I think you need to dig around deeply in the big Kerberos delegation ... forest authentication is done with NTLM by default. ... multi-forest scenario either, so I'm not sure what happens there. ...
    (microsoft.public.windows.server.active_directory)
Loading