Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / September 2005

Tip: Looking for answers? Try searching our database.

Delegation across trusted domains

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Paul - 19 Sep 2005 10:21 GMT
Hi, I've already posted this in a different group, but I've received no
reponses...

-------

I have some load balanced IIS servers, which get content and .NET
applications from clustered file servers using UNC shares. The content within
the shares are secured using NTFS file permissions. I've turned on delegation
so that the IIS servers are allowed to delegate to the file servers, and this
is working.

We have a seperate (but trusted) domain, users from this domain have also
been granted rights to the files on the file servers, however they are being
denied access to the content through the IIS servers. I can only assume that
the delegation is only working for users which are on the same domain as the
servers?

If it is not possible, this will seriously mess up how some of our
applications work... so I'm hoping someone has a solution.
Reply to this Message
Dominick Baier [DevelopMentor] - 19 Sep 2005 12:16 GMT
Hello Paul,

as long as there is a path of trust between all parties - this should work.

Make sure that Kerberos is used between browser and web server, e.g. by inspecting
the security log - you should see a log on event for the client - the authentication
package has to be Kerberos (instead of NTLM) - or use a sniffer like www.ethereal.com 
so see if Kerberos Service Ticket Requests are being made. For delegation
to work you need Kerb auth all the way through.

read more here:
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi, I've already posted this in a different group, but I've received
> no reponses...
[quoted text clipped - 15 lines]
> If it is not possible, this will seriously mess up how some of our
> applications work... so I'm hoping someone has a solution.
Reply to this Message
Paul - 20 Sep 2005 11:46 GMT
That must be the problem, I'm seeing NTLM as the authentication package. I've
tried some things from your security briefs, but the package is still NTLM...
I can see this taking me a while!

> Hello Paul,
>
[quoted text clipped - 31 lines]
> > If it is not possible, this will seriously mess up how some of our
> > applications work... so I'm hoping someone has a solution.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.