Re: Kerberos Delegation of Authentication

Still no definitive answer yet I am afraid however I have another question
that needs some clarification if possible.

Do I need to trust a computer account for delegation if the services doing
the delegation are regular AD accounts.(i.e. application pool for website is
running under a user account) I thought this was the case but someone has
told me since that you only need to do this if you are running the
application under local system or network service etc.

"Joe Kaplan (MVP - ADSI)" wrote:

> Delegation is the right of a service account (such as the process account
> used to run a web server application) to take a user's security context that
> authenticated with it and forward it to another service on the network on
> the users behalf in order to access the other service with the user's
> security context. It is commonly used in n-tier applications to flow
> security contexts between services. It uses featured enabled by the
> Kerberos implementation in Windows.
>
> Constrained delegation is a new feature in 2003 AD that allows Kerberos
> delegation to be restricted to specific network services. In Windows 2000,
> when a service account is trusted for delegation, it can delegate to ANY
> service on the network, making this setting much more of a security risk.
>
> Protocol transition is also a new feature that allows the user
> authentication to happen with a different protocol besides Kerberos (such as
> basic, digest, NTLM or client certificates). The server then transitions
> the authenticated security context to use Kerberos, typically to take
> advantage of delegation.
>
> Read up on those links that Lee posted. They are great documentation.
>
> Joe K.
>
> "Spin" <Spin@xxxxxxxx> wrote in message
> news:4389naF1mb9pcU1@xxxxxxxxxxxxxxxxx
> > What is "constrained delegation"? What is "full delegation". I also saw
> > something on Virtual Server 2005 R2 setup that talked about "constrained
> > delegation" and that confused me. So I just accepted the on-screen Setup
> > default, and hit the "Next" button without really understanding what it
> > meant. :p
> >
> > --
> > Spin
> >
> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
> > in message news:OTtF8iGHGHA.3936@xxxxxxxxxxxxxxxxxxxxxxx
> >> That's a great question and one that I'm curious about too. I also
> >> wonder if it matters whether you are doing constrained delegation or full
> >> delegation and also whether protocol transition is supported in those
> >> scenarios.
> >>
> >> Anyone?
> >>
> >> Joe K.
> >>
> >> "Chris Geier" <chris.geier at gmail.com> wrote in message
> >> news:C19222E0-EB0C-4CC6-88B8-4B2B02A24B51@xxxxxxxxxxxxxxxx
> >>> In a multi forest scenario where I have an N-Tier application
> >>> environment
> >>> that relies on kerberos and Kerberos Delegation of authentication.
> >>> Where the
> >>> users that are impersonated by the service accounts in that N-Tier
> >>> environment are spread accross multiple forests. Is this even possible.
> >>> I
> >>> have read conflicting information about kerberos delegation in cross
> >>> forest
> >>> environments and need a definitve answer. I realize that there has to
> >>> be a
> >>> trust in place for any access but in the case that there is a trust can
> >>> you
> >>> do delegation of authentication accross those forests? Does the domain
> >>> have
> >>> to be at W2K3 level? Does the trust have to be 2 way?
> >>>
> >>> I know that in W2K3 I can setup Cross forest trusts. This is how it is
> >>> setup today. Currently however they are one way trusts. I am not sure
> >>> in my
> >>> planning if this will create a problem. Also I am not sure if in
> >>> Kerberos
> >>> Delegation of Authentication I can have a service account act on behalf
> >>> of a
> >>> user account in another forest and what the implications or finer points
> >>> of
> >>> that are. I have been unable to find some definitive information on
> >>> this.
> >>
> >>
> >
> >
>
>
>
.

Quantcast