Delegation user's credential from webserver to backend server through terminal service

Discussion in 'ASP .Net Security' started by culeno, May 19, 2005.

  1. culeno

    culeno Guest

    I have an intranet application within a domain. Following the KB
    article: How to configure an ASP.NET application for a delegation
    scenario
    (http://support.microsoft.com/default.aspx?scid=kb;en-us;810572) allows
    us to impersonate user's credential from the web server to the back end
    server (SQL and Reporting service server). It works fine if user logs
    in within the domain and launch the application.

    The problem happens when the users work at home and use Windows 2003
    terminal service (not in the same domain as the web app and SQL) to log
    on, and then launch the web app. We noticed that the authentication
    method is NTLM instead of Kerberos when accessing the web app through
    the terminal service (since they don't belong to the same domain).
    Maybe this is the reason why the delegation doesn't work anymore? Can
    anybody tell me how to make it work?

    Thanks.
    Jerry
     
    culeno, May 19, 2005
    #1
    1. Advertising

  2. Delegation is a Kerberos feature, so that would stand to reason. I'd work
    with your admins to see if you can get the terminal services machines to use
    Kerberos. Otherwise, your strategy won't work in that configuration.

    Joe K.

    "culeno" <> wrote in message
    news:...
    >I have an intranet application within a domain. Following the KB
    > article: How to configure an ASP.NET application for a delegation
    > scenario
    > (http://support.microsoft.com/default.aspx?scid=kb;en-us;810572) allows
    > us to impersonate user's credential from the web server to the back end
    > server (SQL and Reporting service server). It works fine if user logs
    > in within the domain and launch the application.
    >
    > The problem happens when the users work at home and use Windows 2003
    > terminal service (not in the same domain as the web app and SQL) to log
    > on, and then launch the web app. We noticed that the authentication
    > method is NTLM instead of Kerberos when accessing the web app through
    > the terminal service (since they don't belong to the same domain).
    > Maybe this is the reason why the delegation doesn't work anymore? Can
    > anybody tell me how to make it work?
    >
    > Thanks.
    > Jerry
    >
     
    Joe Kaplan \(MVP - ADSI\), May 19, 2005
    #2
    1. Advertising

  3. culeno

    culeno Guest

    Thanks Joe for your answering. Can you point me to some articles on how
    to enable Kerberos between two domains (or between a machine and a
    domain)?

    Jerry
     
    culeno, May 19, 2005
    #3
  4. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

    This is the best Kerb paper I know of. You'll probably need some help from
    your network and AD admins on this as well. There must at the very least by
    a trust relationship between the two domains. That much I know for sure.

    Joe K.

    "culeno" <> wrote in message
    news:...
    > Thanks Joe for your answering. Can you point me to some articles on how
    > to enable Kerberos between two domains (or between a machine and a
    > domain)?
    >
    > Jerry
    >
     
    Joe Kaplan \(MVP - ADSI\), May 19, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ken Dopierala Jr.

    Re: How to get Windows logon user credential?

    Ken Dopierala Jr., Aug 28, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    4,494
    cindy liu
    Aug 28, 2003
  2. Ted
    Replies:
    1
    Views:
    441
  3. gaurav kashyap
    Replies:
    3
    Views:
    6,725
    Paul Boddie
    Oct 31, 2008
  4. Steve
    Replies:
    2
    Views:
    977
    edicionsdigitals.com edicions digitals xarxa socia
    Dec 7, 2010
  5. Sam Roberts
    Replies:
    4
    Views:
    340
    Sam Roberts
    May 7, 2008
Loading...

Share This Page