Kerberos delegation trauma

Discussion in 'ASP .Net Security' started by Mandy, Jan 18, 2005.

  1. Mandy

    Mandy Guest

    Hi,

    I have a .NET web application (C#) which calls a command line tool (using
    Process object). This tool in turn invokes another tool on another server by
    passing that servers IP address as an argument, however, an errors occurs
    when the tool on my machine tries to access the server. I have placed the
    exact same code in a Windows application and a console application, and they
    work fine, so I am under the impression I have a permissions/security problem.

    I have tried to implement Kerberos delegation using Microsofts KB article
    810572 (configure ASP.NET application for a delegation scenario) but with no
    luck. On my machine I have set IE to have Enable Integrated Windows
    Authentication to true, the EnableNegotiate in registry was already set to 1.
    I have also only have 'Intergrated Windows authentication' option checked on
    my IIS (5.0) for my web application directory and have impersonation set to
    true in my web.config with authentication set to Windows.

    In Active Directory I have set my computer to have 'Trust computer for
    delegation' selected, as well as for the server thats needs to be accessed.
    The user account on the server that I want to impersonate also has 'Account
    is trusted for delegation' selected and 'Account is sensitve and cannot be
    delegated' unselected, and this account is impersonated in my web.config.
    Admittidly, I did get rather confused with this section so not sure if this
    is all correct and I still I can't get my tool to run correctly.... ARGH!

    If anyone has any suggestions or can see anything I have done wrong please
    let me know, it will be more than appreciated!!

    CHEERS!!

    Mandy
     
    Mandy, Jan 18, 2005
    #1
    1. Advertising

  2. Remember, processes launched with the Process class will use the underlying
    process' security token, not the impersonated user's security token. Thus,
    your process will likely launch under ASPNET or NETWORK SERVICE (depending
    on OS and configuration). That is probably the root of your problem.
    Kerberos delegation won't solve this.

    If you want Kerb delegation to come into play, you need to load the code you
    want to call in process via a DLL or something.

    Joe K.

    "Mandy" <> wrote in message
    news:...
    > Hi,
    >
    > I have a .NET web application (C#) which calls a command line tool (using
    > Process object). This tool in turn invokes another tool on another server
    > by
    > passing that servers IP address as an argument, however, an errors occurs
    > when the tool on my machine tries to access the server. I have placed the
    > exact same code in a Windows application and a console application, and
    > they
    > work fine, so I am under the impression I have a permissions/security
    > problem.
    >
    > I have tried to implement Kerberos delegation using Microsofts KB article
    > 810572 (configure ASP.NET application for a delegation scenario) but with
    > no
    > luck. On my machine I have set IE to have Enable Integrated Windows
    > Authentication to true, the EnableNegotiate in registry was already set to
    > 1.
    > I have also only have 'Intergrated Windows authentication' option checked
    > on
    > my IIS (5.0) for my web application directory and have impersonation set
    > to
    > true in my web.config with authentication set to Windows.
    >
    > In Active Directory I have set my computer to have 'Trust computer for
    > delegation' selected, as well as for the server thats needs to be
    > accessed.
    > The user account on the server that I want to impersonate also has
    > 'Account
    > is trusted for delegation' selected and 'Account is sensitve and cannot be
    > delegated' unselected, and this account is impersonated in my web.config.
    > Admittidly, I did get rather confused with this section so not sure if
    > this
    > is all correct and I still I can't get my tool to run correctly.... ARGH!
    >
    > If anyone has any suggestions or can see anything I have done wrong please
    > let me know, it will be more than appreciated!!
    >
    > CHEERS!!
    >
    > Mandy
     
    Joe Kaplan \(MVP - ADSI\), Jan 18, 2005
    #2
    1. Advertising

  3. Mandy

    Mandy Guest

    I have created a dll which has the code that creates a process that calls the
    command line tool. I have imported this dll into my web application and call
    it but still recieve the same error.... Is there anything else I have to do
    to get Kerberos delegation working? Also, are there any alternative methods
    to allow my tool to access resources on another machine?

    Thanks for all your help!

    "Joe Kaplan (MVP - ADSI)" wrote:

    > Remember, processes launched with the Process class will use the underlying
    > process' security token, not the impersonated user's security token. Thus,
    > your process will likely launch under ASPNET or NETWORK SERVICE (depending
    > on OS and configuration). That is probably the root of your problem.
    > Kerberos delegation won't solve this.
    >
    > If you want Kerb delegation to come into play, you need to load the code you
    > want to call in process via a DLL or something.
    >
    > Joe K.
    >
    > "Mandy" <> wrote in message
    > news:...
    > > Hi,
    > >
    > > I have a .NET web application (C#) which calls a command line tool (using
    > > Process object). This tool in turn invokes another tool on another server
    > > by
    > > passing that servers IP address as an argument, however, an errors occurs
    > > when the tool on my machine tries to access the server. I have placed the
    > > exact same code in a Windows application and a console application, and
    > > they
    > > work fine, so I am under the impression I have a permissions/security
    > > problem.
    > >
    > > I have tried to implement Kerberos delegation using Microsofts KB article
    > > 810572 (configure ASP.NET application for a delegation scenario) but with
    > > no
    > > luck. On my machine I have set IE to have Enable Integrated Windows
    > > Authentication to true, the EnableNegotiate in registry was already set to
    > > 1.
    > > I have also only have 'Intergrated Windows authentication' option checked
    > > on
    > > my IIS (5.0) for my web application directory and have impersonation set
    > > to
    > > true in my web.config with authentication set to Windows.
    > >
    > > In Active Directory I have set my computer to have 'Trust computer for
    > > delegation' selected, as well as for the server thats needs to be
    > > accessed.
    > > The user account on the server that I want to impersonate also has
    > > 'Account
    > > is trusted for delegation' selected and 'Account is sensitve and cannot be
    > > delegated' unselected, and this account is impersonated in my web.config.
    > > Admittidly, I did get rather confused with this section so not sure if
    > > this
    > > is all correct and I still I can't get my tool to run correctly.... ARGH!
    > >
    > > If anyone has any suggestions or can see anything I have done wrong please
    > > let me know, it will be more than appreciated!!
    > >
    > > CHEERS!!
    > >
    > > Mandy

    >
    >
    >
     
    Mandy, Jan 19, 2005
    #3
  4. No no, you just moved the ball on that one. What I was trying to suggest
    was that you take the code in the external program and incorporate that into
    a .NET assembly that you can load directly in your web app. Then you can
    access its functionality in your current process and use your impersonated
    security context.

    If you don't have the source code for the external process, this may not be
    possible. I don't remember if you said much about it.

    If it is the case that you can't call the process' code in your current
    process, you will need to find a way to launch it under a different security
    context.

    Does the process need to run under the security context of the authenticated
    web user or can it run as something else?

    Joe K.

    "Mandy" <> wrote in message
    news:...
    >I have created a dll which has the code that creates a process that calls
    >the
    > command line tool. I have imported this dll into my web application and
    > call
    > it but still recieve the same error.... Is there anything else I have to
    > do
    > to get Kerberos delegation working? Also, are there any alternative
    > methods
    > to allow my tool to access resources on another machine?
    >
    > Thanks for all your help!
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> Remember, processes launched with the Process class will use the
    >> underlying
    >> process' security token, not the impersonated user's security token.
    >> Thus,
    >> your process will likely launch under ASPNET or NETWORK SERVICE
    >> (depending
    >> on OS and configuration). That is probably the root of your problem.
    >> Kerberos delegation won't solve this.
    >>
    >> If you want Kerb delegation to come into play, you need to load the code
    >> you
    >> want to call in process via a DLL or something.
    >>
    >> Joe K.
    >>
    >> "Mandy" <> wrote in message
    >> news:...
    >> > Hi,
    >> >
    >> > I have a .NET web application (C#) which calls a command line tool
    >> > (using
    >> > Process object). This tool in turn invokes another tool on another
    >> > server
    >> > by
    >> > passing that servers IP address as an argument, however, an errors
    >> > occurs
    >> > when the tool on my machine tries to access the server. I have placed
    >> > the
    >> > exact same code in a Windows application and a console application, and
    >> > they
    >> > work fine, so I am under the impression I have a permissions/security
    >> > problem.
    >> >
    >> > I have tried to implement Kerberos delegation using Microsofts KB
    >> > article
    >> > 810572 (configure ASP.NET application for a delegation scenario) but
    >> > with
    >> > no
    >> > luck. On my machine I have set IE to have Enable Integrated Windows
    >> > Authentication to true, the EnableNegotiate in registry was already set
    >> > to
    >> > 1.
    >> > I have also only have 'Intergrated Windows authentication' option
    >> > checked
    >> > on
    >> > my IIS (5.0) for my web application directory and have impersonation
    >> > set
    >> > to
    >> > true in my web.config with authentication set to Windows.
    >> >
    >> > In Active Directory I have set my computer to have 'Trust computer for
    >> > delegation' selected, as well as for the server thats needs to be
    >> > accessed.
    >> > The user account on the server that I want to impersonate also has
    >> > 'Account
    >> > is trusted for delegation' selected and 'Account is sensitve and cannot
    >> > be
    >> > delegated' unselected, and this account is impersonated in my
    >> > web.config.
    >> > Admittidly, I did get rather confused with this section so not sure if
    >> > this
    >> > is all correct and I still I can't get my tool to run correctly....
    >> > ARGH!
    >> >
    >> > If anyone has any suggestions or can see anything I have done wrong
    >> > please
    >> > let me know, it will be more than appreciated!!
    >> >
    >> > CHEERS!!
    >> >
    >> > Mandy

    >>
    >>
    >>
     
    Joe Kaplan \(MVP - ADSI\), Jan 19, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UHJlc3RvbiBQYXJr?=

    Kerberos Delegation Question

    =?Utf-8?B?UHJlc3RvbiBQYXJr?=, Jun 18, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    920
    =?Utf-8?B?UHJlc3RvbiBQYXJr?=
    Jun 18, 2005
  2. Replies:
    0
    Views:
    344
  3. Kerberos Delegation

    , Jan 29, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    129
    Paul Glavich
    Jan 30, 2004
  4. Seen The Bean
    Replies:
    2
    Views:
    189
    Ken Schaefer
    Apr 24, 2006
  5. Scott Elgram

    Kerberos Delegation

    Scott Elgram, Dec 7, 2006, in forum: ASP .Net Security
    Replies:
    2
    Views:
    149
    Scott Elgram
    Dec 8, 2006
Loading...

Share This Page