Delegation in ASP.NET

Discussion in 'ASP .Net Security' started by Dominick Baier, Sep 13, 2004.

  1. I think i had a similar problem a while ago -

    and i further thinks - yes - he is falling back to NTLM which makes delegation impossible...

    when you turn on auditing for logon events you can see the Authentication Package that is used -

    when using kerberos - the NEGOTIATE SSPI should be used - see if in the case you described the AuthPackage is NTLM to clarify this...

    Dominick Baier - DevelopMentor



    As the title suggests I have a question about delegation in ASP.NET.

    We have an ASP.NET application running on a web server which requires
    clients to authenticate via Windows Integrated authentication. We're running
    in a Win2K native-mode domain and the clients are IE6 so we should be using
    Kerberos to authenticate.

    At some points the application needs to send an email on behalf of the
    client; this it achieves by impersonating the remote user and using WebDAV to
    talk to the exchange server running on the DC (which is a physically separate
    box from the web server).

    This is working in the main and the credentials appear to flow from the
    browser, through the web-app to the exchange server.

    However, it only hangs together with a certain set of *browser* settings :s

    If the site is configured to live in a zone (e.g. Intranet or Trusted Sites
    etc.) that has either of the "automatic logon..." options in the IE custom
    security level dialog selected then all is well.

    As soon as this isn't true and we manually enter the credentials when
    prompted, we authenticate with the web-server OK, but then the ASP.NET app
    can't authenicate with the exchange box on the client's behalf (its as if
    we're back to impersonation rather than delegation).

    We believe that we've all the accounts are correctly configured for
    delegation (i.e. user accounts are *not* marked as sensitive, app account is
    marked as trusted for delegation, machine account trusted for delegation).

    Does anyone have any ideas about what this browser option is actually doing
    that makes the whole thing work?

    The application only supports windows integrated authentication so it can't
    be "falling back" to basic - is it falling back to NTLM though?

    Any help will be much appreciated.


    Dominick Baier, Sep 13, 2004
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kelly D. Jones

    Problem with delegation from ASP.NET to SQL

    Kelly D. Jones, Sep 17, 2003, in forum: ASP .Net
    Kelly D. Jones
    Sep 17, 2003
  2. jm
    bruce barker
    Dec 20, 2003
  3. bruce barker

    Re: ASP.NET Impersonation / delegation

    bruce barker, Apr 28, 2004, in forum: ASP .Net
    May 4, 2004
  4. Patrick
    David Wang
    Nov 16, 2006
  5. Sam Roberts
    Sam Roberts
    May 7, 2008

Share This Page