IIS 7 and WindowsIdentity

Discussion in 'ASP .Net Security' started by Peter Larsen [CPH], Jul 27, 2010.

  1. Hej,

    I have a website where the IIS is setup to use "Windows Authentication".

    The website connects to oracle using the following connection string:
    <add key="Main.ConnectionString" value="data source=DATABASE;user
    id=/;"/>

    Running the website, WindowsIdentity return the user added to the
    application-pool associated with the website. Thread.CurrentPrincipal return
    the user currently accessing the website.

    I want OracleConnection to use the identity of the user currently using the
    website (here Thread.CurrentPrincipal), but this is not what happens. The
    oracle component use the user-account added to the Application Pool (here
    found in WindowsIdentity).

    There must be a way to do this, but i don't know how to configure the IIS to
    use the identity from current user...

    Thank you in advance.
    BR
    Peter
     
    Peter Larsen [CPH], Jul 27, 2010
    #1
    1. Advertising

  2. Peter Larsen [CPH]

    Jerry Weng Guest

    Hello Peter Larsen,
    Thank you for posting.
    From your post, my understanding on this issue is: login to the database
    with the current user which authenticated in your web system. If I'm off
    base, please feel free to let me know.

    We need to impersonate the user to meet the requirement.

    So the connectionString need to be like this:
    <add key="Main.ConnectionString" value="data source=DATABASE;User Id=/;"/>

    And we need to add <identity impersonate="true"> to the web.config.

    <system.web>
    <identity impersonate="true"/>
    </system.web>

    Reference:
    ASP.NET Impersonation
    http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx

    Please let me know the information above so that I can provider further
    assistance on this problem. I am looking forward to your reply.

    --
    Sincerely,
    Jerry Weng
    Microsoft Online Community Support

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
    to the limited number of phone-based technical support incidents. Complex
    issues or server-down situations are not recommended for the newsgroups.
    Issues of this nature are best handled working with a Microsoft Support
    Engineer using one of your phone-based incidents.
    ==================================================
    --------------------
    | From: "Peter Larsen [CPH]" <>
    | Subject: IIS 7 and WindowsIdentity
    | Date: Tue, 27 Jul 2010 18:14:16 +0200
    | Lines: 25
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
    | Message-ID: <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | NNTP-Posting-Host: edge1.bankinvest.dk 131.165.55.124
    | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:78
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    |
    | Hej,
    |
    | I have a website where the IIS is setup to use "Windows Authentication".
    |
    | The website connects to oracle using the following connection string:
    | <add key="Main.ConnectionString" value="data source=DATABASE;user
    | id=/;"/>
    |
    | Running the website, WindowsIdentity return the user added to the
    | application-pool associated with the website. Thread.CurrentPrincipal
    return
    | the user currently accessing the website.
    |
    | I want OracleConnection to use the identity of the user currently using
    the
    | website (here Thread.CurrentPrincipal), but this is not what happens. The
    | oracle component use the user-account added to the Application Pool (here
    | found in WindowsIdentity).
    |
    | There must be a way to do this, but i don't know how to configure the IIS
    to
    | use the identity from current user...
    |
    | Thank you in advance.
    | BR
    | Peter
    |
    |
    |
     
    Jerry Weng, Jul 28, 2010
    #2
    1. Advertising

  3. Hi Jerry,

    Thank you for your comment.
    I think this is what i am looking for.

    Just to be sure - so it is possible to impersonate each session (on the iis)
    with current user(s) ??

    BR
    Peter



    "Jerry Weng" <> wrote in message
    news:wj4dn$...
    > Hello Peter Larsen,
    > Thank you for posting.
    > From your post, my understanding on this issue is: login to the database
    > with the current user which authenticated in your web system. If I'm off
    > base, please feel free to let me know.
    >
    > We need to impersonate the user to meet the requirement.
    >
    > So the connectionString need to be like this:
    > <add key="Main.ConnectionString" value="data source=DATABASE;User
    > Id=/;"/>
    >
    > And we need to add <identity impersonate="true"> to the web.config.
    >
    > <system.web>
    > <identity impersonate="true"/>
    > </system.web>
    >
    > Reference:
    > ASP.NET Impersonation
    > http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx
    >
    > Please let me know the information above so that I can provider further
    > assistance on this problem. I am looking forward to your reply.
    >
    > --
    > Sincerely,
    > Jerry Weng
    > Microsoft Online Community Support
    >
    > ==================================================
     
    Peter Larsen [CPH], Jul 28, 2010
    #3
  4. Hi Jerry,

    I can't get it to work.

    I use the following sample to test with:

    string cs = ConfigurationManager.AppSettings["main.connectionstring"];
    Oracle.DataAccess.Client.OracleConnection oc = new OracleConnection(cs);
    string sql = "select * from table_name t";
    using (OracleCommand com = new OracleCommand(sql, oc))
    {
    oc.Open();
    OracleDataReader odr = com.ExecuteReader();
    }

    The web.config contains "identity impersonate = true" and user id=/; in the
    connection string.

    On my own machine, this works just fine, but it fails on the ISS with the
    error "Oracle.DataAccess.Client.OracleException: ORA-1017".

    I log the text from the below line + checks that the logoff/logon events
    exist in the Security Log (on the server).

    string text = string.Format("windowsidentity:{0}:{1},
    currentthread:{2}:{3}",
    System.Security.Principal.WindowsIdentity.GetCurrent().Name,
    System.Security.Principal.WindowsIdentity.GetCurrent().IsAuthenticated,
    System.Threading.Thread.CurrentPrincipal.Identity.Name,
    System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated);

    It all seems ok, but it doesn't work.
    What do i do wrong here ??

    Thank you.

    BR
    Peter



    "Jerry Weng" <> wrote in message
    news:wj4dn$...
    > Hello Peter Larsen,
    > Thank you for posting.
    > From your post, my understanding on this issue is: login to the database
    > with the current user which authenticated in your web system. If I'm off
    > base, please feel free to let me know.
    >
    > We need to impersonate the user to meet the requirement.
    >
    > So the connectionString need to be like this:
    > <add key="Main.ConnectionString" value="data source=DATABASE;User
    > Id=/;"/>
    >
    > And we need to add <identity impersonate="true"> to the web.config.
    >
    > <system.web>
    > <identity impersonate="true"/>
    > </system.web>
    >
     
    Peter Larsen [CPH], Jul 28, 2010
    #4
  5. Hi Jerry,

    I have found that it works if i change the Application Pool to use my
    account (and remove impersonate = true from web.config).

    It also works if i change the logon method from Windows Authentication to
    Basic Authentication + removing impersonate as above, and then logon using
    the logon popup window.

    BR
    Peter
     
    Peter Larsen [CPH], Jul 28, 2010
    #5
  6. - but it doesn't work if using Windows Authentication and ASP.NET
    Impersonation - which is what i need :-(
     
    Peter Larsen [CPH], Jul 28, 2010
    #6
  7. Peter Larsen [CPH]

    Jerry Weng Guest

    Hi Peter,

    With Windows authentication, either the Windows user must belong to a
    privileged Windows group such as ORA_DBA on the Oracle server or external
    authentication must be enabled. External authentication is not recommended,
    because it is less secure than access through group membership.

    Are the users which you want to impersonate belong to the Windows group
    such as ORA_DBA?

    For ASP.NET, we have to use <identity impersonate="true" /> to impersonate
    the current logon user to process something rather than to use the default
    NETWORK SERVICE account. I think the problem drop down to how the Orcale
    database know the Windows acount is in the sercurity user list. Just like
    we need to add the Windows account to the Security/Logins list in the
    Microsoft SQL Server Management Studio. I think so does the Orcale databse
    need your impersonated account to be added into his user list. And you also
    said that the impersonation works on you local machine but not on the ISS
    server, so I think it is a configuration problem on Orcale database. (Sorry
    I'm not quite familiar with Orcale.)

    Oracle database security problems are out of the support boundaries of this
    managed newsgroups. So I also think we can find more help about how to
    implementing Window Authentication for Orcale from the oracle.com. But I
    still try my best to provide some useful clues to resolve your issue. Here
    I found some useful links from third part websites.

    Securing a .NET Application on the Oracle Database
    http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_m
    asteringdotnet.html

    This response contains a reference to a third party World Wide Web site.
    Microsoft is providing this information as a convenience to you. Microsoft
    does not control these sites and has not tested any software or information
    found on these sites; therefore, Microsoft cannot make any representations
    regarding the quality, safety, or suitability of any software or
    information found there. There are inherent dangers in the use of any
    software found on the Internet, and Microsoft cautions you to make sure
    that you completely understand the risk before retrieving any software from
    the Internet.
    --------------------
    | From: "Peter Larsen [CPH]" <>
    | References: <>
    <wj4dn$>
    | Subject: Re: IIS 7 and WindowsIdentity
    | Date: Wed, 28 Jul 2010 14:12:40 +0200
    | Lines: 63
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
    | Message-ID: <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | NNTP-Posting-Host: edge1.bankinvest.dk 131.165.55.124
    | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:85
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    |
    | Hi Jerry,
    |
    | I can't get it to work.
    |
    | I use the following sample to test with:
    |
    | string cs = ConfigurationManager.AppSettings["main.connectionstring"];
    | Oracle.DataAccess.Client.OracleConnection oc = new OracleConnection(cs);
    | string sql = "select * from table_name t";
    | using (OracleCommand com = new OracleCommand(sql, oc))
    | {
    | oc.Open();
    | OracleDataReader odr = com.ExecuteReader();
    | }
    |
    | The web.config contains "identity impersonate = true" and user id=/; in
    the
    | connection string.
    |
    | On my own machine, this works just fine, but it fails on the ISS with the
    | error "Oracle.DataAccess.Client.OracleException: ORA-1017".
    |
    | I log the text from the below line + checks that the logoff/logon events
    | exist in the Security Log (on the server).
    |
    | string text = string.Format("windowsidentity:{0}:{1},
    | currentthread:{2}:{3}",
    | System.Security.Principal.WindowsIdentity.GetCurrent().Name,
    | System.Security.Principal.WindowsIdentity.GetCurrent().IsAuthenticated,
    | System.Threading.Thread.CurrentPrincipal.Identity.Name,
    | System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated);
    |
    | It all seems ok, but it doesn't work.
    | What do i do wrong here ??
    |
    | Thank you.
    |
    | BR
    | Peter
    |
    |
    |
    | "Jerry Weng" <> wrote in message
    | news:wj4dn$...
    | > Hello Peter Larsen,
    | > Thank you for posting.
    | > From your post, my understanding on this issue is: login to the database
    | > with the current user which authenticated in your web system. If I'm off
    | > base, please feel free to let me know.
    | >
    | > We need to impersonate the user to meet the requirement.
    | >
    | > So the connectionString need to be like this:
    | > <add key="Main.ConnectionString" value="data source=DATABASE;User
    | > Id=/;"/>
    | >
    | > And we need to add <identity impersonate="true"> to the web.config.
    | >
    | > <system.web>
    | > <identity impersonate="true"/>
    | > </system.web>
    | >
    |
    |
    |
     
    Jerry Weng, Jul 29, 2010
    #7
  8. Hi Jerry,

    How can it be a oracle privileged issue, when it works using another
    authentication method on the website ??
    It does work if using Basic Authentication and ASP.NET Impersonation.

    BR
    Peter


    "Jerry Weng" <> wrote in message
    news:...
    > Hi Peter,
    >
    > With Windows authentication, either the Windows user must belong to a
    > privileged Windows group such as ORA_DBA on the Oracle server or external
    > authentication must be enabled. External authentication is not
    > recommended,
    > because it is less secure than access through group membership.
    >
    > Are the users which you want to impersonate belong to the Windows group
    > such as ORA_DBA?
    >
    > For ASP.NET, we have to use <identity impersonate="true" /> to impersonate
    > the current logon user to process something rather than to use the default
    > NETWORK SERVICE account. I think the problem drop down to how the Orcale
    > database know the Windows acount is in the sercurity user list. Just like
    > we need to add the Windows account to the Security/Logins list in the
    > Microsoft SQL Server Management Studio. I think so does the Orcale databse
    > need your impersonated account to be added into his user list. And you
    > also
    > said that the impersonation works on you local machine but not on the ISS
    > server, so I think it is a configuration problem on Orcale database.
    > (Sorry
    > I'm not quite familiar with Orcale.)
    >
    > Oracle database security problems are out of the support boundaries of
    > this
    > managed newsgroups. So I also think we can find more help about how to
    > implementing Window Authentication for Orcale from the oracle.com. But I
    > still try my best to provide some useful clues to resolve your issue. Here
    > I found some useful links from third part websites.
    >
    > Securing a .NET Application on the Oracle Database
    > http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_m
    > asteringdotnet.html
     
    Peter Larsen [CPH], Jul 29, 2010
    #8
  9. Could it be that the authentication type, when using Basic Authentication,
    is kerberos and when using Windows Authentication, it is NTLM ??

    /Peter
     
    Peter Larsen [CPH], Jul 29, 2010
    #9
  10. Peter Larsen [CPH]

    Jerry Weng Guest

    Hi Peter,

    Well, Basic authentication is inherently insecure. Because it is easy to
    decode Base64 encoded data, Basic authentication is essentially sending the
    password as plain text. To improve the security of this authentication
    scheme, we can use it in combination with Secure Sockets Layer/Transport
    Layer Security (SSL/TLS) support to encrypt the HTTP session. However,
    SSL/TLS impacts performance because it encrypts and decrypts all data on
    each exchange. But it can be used by Internet appications.

    Windows authentication is controlled and executed by IIS and is useful
    mainly for intranet Web applications.

    So maybe that also a possible reason. And If you are using a Intranet web
    application, Windows authentication would work better.

    Anyway, it seems that Basic authentication and ASP.NET impersonation could
    help you to resolve the problem, right?

    --
    Sincerely,
    Jerry Weng
    Microsoft Online Community Support

    --------------------
    | From: "Peter Larsen [CPH]" <>
    | References: <>
    <wj4dn$>
    <>
    <>
    | Subject: Re: IIS 7 and WindowsIdentity
    | Date: Thu, 29 Jul 2010 10:29:50 +0200
    | Lines: 48
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
    | Message-ID: <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | NNTP-Posting-Host: edge1.bankinvest.dk 131.165.55.124
    | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:93
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    |
    | Hi Jerry,
    |
    | How can it be a oracle privileged issue, when it works using another
    | authentication method on the website ??
    | It does work if using Basic Authentication and ASP.NET Impersonation.
    |
    | BR
    | Peter
    |
    |
    | "Jerry Weng" <> wrote in message
    | news:...
    | > Hi Peter,
    | >
    | > With Windows authentication, either the Windows user must belong to a
    | > privileged Windows group such as ORA_DBA on the Oracle server or
    external
    | > authentication must be enabled. External authentication is not
    | > recommended,
    | > because it is less secure than access through group membership.
    | >
    | > Are the users which you want to impersonate belong to the Windows group
    | > such as ORA_DBA?
    | >
    | > For ASP.NET, we have to use <identity impersonate="true" /> to
    impersonate
    | > the current logon user to process something rather than to use the
    default
    | > NETWORK SERVICE account. I think the problem drop down to how the Orcale
    | > database know the Windows acount is in the sercurity user list. Just
    like
    | > we need to add the Windows account to the Security/Logins list in the
    | > Microsoft SQL Server Management Studio. I think so does the Orcale
    databse
    | > need your impersonated account to be added into his user list. And you
    | > also
    | > said that the impersonation works on you local machine but not on the
    ISS
    | > server, so I think it is a configuration problem on Orcale database.
    | > (Sorry
    | > I'm not quite familiar with Orcale.)
    | >
    | > Oracle database security problems are out of the support boundaries of
    | > this
    | > managed newsgroups. So I also think we can find more help about how to
    | > implementing Window Authentication for Orcale from the oracle.com. But I
    | > still try my best to provide some useful clues to resolve your issue.
    Here
    | > I found some useful links from third part websites.
    | >
    | > Securing a .NET Application on the Oracle Database
    | >
    http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_m
    | > asteringdotnet.html
    |
    |
    |
     
    Jerry Weng, Jul 30, 2010
    #10
  11. Hi Jerry,

    It is true that Basic Authentication works, but it is not an option. I only
    tried it as a test.
    We must use Windows Authentication.

    And yes, the website runs on our intranet (IIS 7 on server 2007).

    I have found a page (on MS website) saying that delegation is not supported
    if using NTLM.
    I have also read, that delegation may be a Security Policy setting + the
    server must have a SPN (Service Principal Name) name.

    But i can't get it to work.

    I need somebody to tell me, what is the truth in this and how to make it
    work.

    BR
    Peter




    "Jerry Weng" <> wrote in message
    news:$...
    > Hi Peter,
    >
    > Well, Basic authentication is inherently insecure. Because it is easy to
    > decode Base64 encoded data, Basic authentication is essentially sending
    > the
    > password as plain text. To improve the security of this authentication
    > scheme, we can use it in combination with Secure Sockets Layer/Transport
    > Layer Security (SSL/TLS) support to encrypt the HTTP session. However,
    > SSL/TLS impacts performance because it encrypts and decrypts all data on
    > each exchange. But it can be used by Internet appications.
    >
    > Windows authentication is controlled and executed by IIS and is useful
    > mainly for intranet Web applications.
    >
    > So maybe that also a possible reason. And If you are using a Intranet web
    > application, Windows authentication would work better.
    >
    > Anyway, it seems that Basic authentication and ASP.NET impersonation could
    > help you to resolve the problem, right?
    >
    > --
    > Sincerely,
    > Jerry Weng
    > Microsoft Online Community Support
    >
    > ---
     
    Peter Larsen [CPH], Jul 30, 2010
    #11
  12. Peter Larsen [CPH]

    Jerry Weng Guest

    Hi Peter,

    As I said, I think the key problem is how to create the Windows Account
    User into the user list of the Orcale Database.

    Here I found a solution from the network. I have not environment to test
    it whether it works or not. Hope could help you.

    Configuring Windows Authentication
    http://oradim.blogspot.com/2007/11/configuring-windows-authentication.html

    You can try it and please give me a feedback.

    This response contains a reference to a third party World Wide Web site.
    Microsoft is providing this information as a convenience to you. Microsoft
    does not control these sites and has not tested any software or information
    found on these sites; therefore, Microsoft cannot make any representations
    regarding the quality, safety, or suitability of any software or
    information found there. There are inherent dangers in the use of any
    software found on the Internet, and Microsoft cautions you to make sure
    that you completely understand the risk before retrieving any software from
    the Internet.

    --
    Sincerely,
    Jerry Weng
    Microsoft Online Community Support
    --------------------
    | From: "Peter Larsen [CPH]" <>
    | References: <>
    <wj4dn$>
    <>
    <>
    <>
    <$>
    | Subject: Re: IIS 7 and WindowsIdentity
    | Date: Fri, 30 Jul 2010 09:51:41 +0200
    | Lines: 54
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
    | Message-ID: <#>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | NNTP-Posting-Host: edge1.bankinvest.dk 131.165.55.124
    | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:97
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    |
    | Hi Jerry,
    |
    | It is true that Basic Authentication works, but it is not an option. I
    only
    | tried it as a test.
    | We must use Windows Authentication.
    |
    | And yes, the website runs on our intranet (IIS 7 on server 2007).
    |
    | I have found a page (on MS website) saying that delegation is not
    supported
    | if using NTLM.
    | I have also read, that delegation may be a Security Policy setting + the
    | server must have a SPN (Service Principal Name) name.
    |
    | But i can't get it to work.
    |
    | I need somebody to tell me, what is the truth in this and how to make it
    | work.
    |
    | BR
    | Peter
    |
    |
    |
    |
    | "Jerry Weng" <> wrote in message
    | news:$...
    | > Hi Peter,
    | >
    | > Well, Basic authentication is inherently insecure. Because it is easy
    to
    | > decode Base64 encoded data, Basic authentication is essentially sending
    | > the
    | > password as plain text. To improve the security of this authentication
    | > scheme, we can use it in combination with Secure Sockets Layer/Transport
    | > Layer Security (SSL/TLS) support to encrypt the HTTP session. However,
    | > SSL/TLS impacts performance because it encrypts and decrypts all data on
    | > each exchange. But it can be used by Internet appications.
    | >
    | > Windows authentication is controlled and executed by IIS and is useful
    | > mainly for intranet Web applications.
    | >
    | > So maybe that also a possible reason. And If you are using a Intranet
    web
    | > application, Windows authentication would work better.
    | >
    | > Anyway, it seems that Basic authentication and ASP.NET impersonation
    could
    | > help you to resolve the problem, right?
    | >
    | > --
    | > Sincerely,
    | > Jerry Weng
    | > Microsoft Online Community Support
    | >
    | > ---
    |
    |
    |
     
    Jerry Weng, Aug 2, 2010
    #12
  13. But, it it true that delegation is not supported if using NTLM ??

    BR
    Peter
     
    Peter Larsen [CPH], Aug 3, 2010
    #13
  14. Peter Larsen [CPH]

    Jerry Weng Guest

    Hello Peter,

    Yes, we can't use NTLM for delegation. We have to use Kerberos
    authentication protocol.

    Kerberos authentication authenticates the server and the client, whereas
    Windows NT Challenge/Response (NTLM) authenticates the client only.

    For client side, only Microsoft Internet Explorer 5.0 or later versions
    support Kerberos.
    For server side, only Windows 2000 or later versions support Kerberos
    authentication, it need IIS 5.0 or later version.

    --
    Sincerely,
    Jerry Weng
    Microsoft Online Community Support
    --------------------
    | From: "Peter Larsen [CPH]" <>
    | References: <>
    <wj4dn$>
    <>
    <>
    <>
    <$>
    <#>
    <>
    | Subject: Re: IIS 7 and WindowsIdentity
    | Date: Tue, 3 Aug 2010 16:23:50 +0200
    | Lines: 7
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
    | Message-ID: <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    | NNTP-Posting-Host: edge1.bankinvest.dk 131.165.55.124
    | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.dotnet.framework.aspnet.security:105
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    |
    | But, it it true that delegation is not supported if using NTLM ??
    |
    | BR
    | Peter
    |
    |
    |
    |
     
    Jerry Weng, Aug 4, 2010
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin Burton

    WindowsPrincipal and WindowsIdentity.

    Kevin Burton, Jan 7, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    7,424
    bruce barker
    Jan 8, 2004
  2. =?ISO-8859-1?Q?J=F6rn_von_Holten?=

    WindowsIdentity... ASP.NET and Remoting

    =?ISO-8859-1?Q?J=F6rn_von_Holten?=, Apr 13, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    620
    =?ISO-8859-1?Q?J=F6rn_von_Holten?=
    Apr 13, 2005
  3. Eric Pearson
    Replies:
    2
    Views:
    656
    Eric Pearson
    May 30, 2006
  4. Replies:
    0
    Views:
    551
  5. Steve Lynch

    IIS Authentication vs. WindowsIdentity

    Steve Lynch, Sep 2, 2006, in forum: ASP .Net Security
    Replies:
    1
    Views:
    828
    Joe Kaplan
    Sep 2, 2006
Loading...

Share This Page