 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Security / July 2004Allow Integrated Windows Authentication Token to be delegated?
I'm writing an asp.net intranet application that allows the current user to manage their user folder on a shared network drive on the same domain as the webserver. These user folders have permissions set up for the current user. From what I understand about IIS/Integrated Windows Authentication, it doesn't support delegation, that is passing an authentication token to a server beyond the webserver (like this network share). Any access beyond that "one-hop" would be executed under the configured identity of asp.net. Is there a way, from code perhaps, to beef up the token IIS receives from the browser (that has been authenticated by Integrated Windows), so it can overcome the one-hop rule, and access a network share that has permissions set for the current user? I know this problem is easily solved with using basic authentication, but I don't want the user to have to re-enter their username/password in the webpage. I just want it so authenticated user "joe" can access this shared network folder because there are permissions set for "joe", not because I've done some crazy process to change the identity asp.net runs under. It seems silly that there wouldn't be a way to do this! Please help! --Michael Integrated Windows Authentication actually involves two different types of authentication. Kerberos, and NTLM v2. Kerberos is supported, natively, by Windows 2000 and Windows XP client machines. Delegation is possible using Kerberos. If you are also running a Windows 2003 Domain, then with constrained delegation you can also configure Protocol Transition, which allows non-Kerberos authentication to the webserver, and then the webserver will get a Kerberos tokent to access the remote file server. Some links that may be helpful: Here are a few articles to get you started: http://support.microsoft.com/default.aspx?scid=kb;en-us;810572 HOW TO: Configure an ASP.NET Application for a Delegation Scenario http://support.microsoft.com/?id=294382 Authentication May Fail with "401.3" Error If Web Site's "Host Header" Differs from Server's NetBIOS Name http://support.microsoft.com/default.aspx?kbid=325894 HOW TO: Configure Computer Accounts and User Accounts So That They Are Trusted for Delegation in Windows Server 2003 Enterprise Edition (also includes Windows 2000 instructions) http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/prodd ocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/pro ddocs/en-us/se_con_del_computer.asp Configuring Users and Computers for delegation (there's a couple of pages - use the links in the nav bar to get to them) Windows 2003 Protocol Transition http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/secu rity/constdel.mspx Cheers Ken : I'm writing an asp.net intranet application that allows the current user to : manage their user folder on a shared network drive on the same domain as the [quoted text clipped - 19 lines] : Please help! : --Michael Thanks for taking the time to answer. I haven't figured it out yet (I tried everything in that first article, still no go), but I definitely feel I'm on the right track now and that it is possible! --Michael > Integrated Windows Authentication actually involves two different types of > authentication. Kerberos, and NTLM v2. Kerberos is supported, natively, by [quoted text clipped - 21 lines] > Trusted for Delegation in Windows Server 2003 Enterprise Edition (also > includes Windows 2000 instructions) http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/prodd ocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/pro ddocs/en-us/se_con_del_computer.asp > Configuring Users and Computers for delegation (there's a couple of pages - > use the links in the nav bar to get to them) > > Windows 2003 Protocol Transition http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/secu rity/constdel.mspx > Cheers > Ken [quoted text clipped - 25 lines] > : Please help! > : --Michael have you got how to do this yet? --- wow, you realize I posted this like 4 months ago, but yes I got this working great, thanks for caring! --Michael > have you got how to do this yet? > > --- How did you get it to work? I am trying to do the same thing right now.. wow, you realize I posted this like 4 months ago, but yes I got this working great, thanks for caring! --Michael <boycom> wrote in message news:%23Fx$LntcEHA.716@TK2MSFTNGP11.phx.gbl... > have you got how to do this yet? > > --- > > Our newsgroup > engine supports Post Alerts, Ratings, and Searching. Delegation: http://support.microsoft.com/default.aspx?scid=kb;en-us;810572 Works great! Just follow that article to the letter... --Michael > How did you get it to work? > [quoted text clipped - 12 lines] > > Our newsgroup > > engine supports Post Alerts, Ratings, and Searching. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.