Kerberos

Discussion in 'ASP .Net Security' started by Reza, May 10, 2005.

  1. Reza

    Reza Guest

    Hi

    An administrator from the trusted forest connects to my web application in
    the trusting forest. Surely he can do it because of the trust. In my web
    page I tried to impersonate as him and create a global group in his forest.
    Since he is an administrator he must be able to do it but here I get an
    error. I did the same thing through a desktop application which I Run As him
    in my forest (trusting forest) and it works fine. Why can't I do it through
    web? His account is NOT (sensitive and can
    not be delegated) and my IIS computer is trusted for delegation so everything
    is fine for delegation. Another test is that when I change security in IIS to
    Basic Authentication it works but in Integrated windows it is not working.
    That made me think it is probably because of Kerberos. Documentation says
    delegation for Kerberos needs all computers to be in the same forest. I ran
    the same test in a single forest again with the same result. The error is
    nonspecific: (Operation error) which is raised by Directory Service class of
    ..Net. There is no Access Denied or any other meaningful thing. I am really
    confused!! Somebody can help me please?

    Thanks
    Reza
    Reza, May 10, 2005
    #1
    1. Advertising

  2. Can you please post the code? That would be very helpful. Also, it helps
    to mention S.DS in the subject with issues like this if you want the
    Directory Services MVPs to notice. :)

    Another good idea would be to verify whether your DirectoryEntry is getting
    mutually authenticated. This requires some COM interop using the
    IADsObjectOptions with the ADS_OPTION_MUTUAL_AUTH_STATUS (4) flag passed in.
    It will tell you true/false whether you got a kerberos bind or not.

    HTH,

    Joe K.

    "Reza" <> wrote in message
    news:...
    > Hi
    >
    > An administrator from the trusted forest connects to my web application in
    > the trusting forest. Surely he can do it because of the trust. In my web
    > page I tried to impersonate as him and create a global group in his
    > forest.
    > Since he is an administrator he must be able to do it but here I get an
    > error. I did the same thing through a desktop application which I Run As
    > him
    > in my forest (trusting forest) and it works fine. Why can't I do it
    > through
    > web? His account is NOT (sensitive and can
    > not be delegated) and my IIS computer is trusted for delegation so
    > everything
    > is fine for delegation. Another test is that when I change security in IIS
    > to
    > Basic Authentication it works but in Integrated windows it is not working.
    > That made me think it is probably because of Kerberos. Documentation says
    > delegation for Kerberos needs all computers to be in the same forest. I
    > ran
    > the same test in a single forest again with the same result. The error is
    > nonspecific: (Operation error) which is raised by Directory Service class
    > of
    > .Net. There is no Access Denied or any other meaningful thing. I am really
    > confused!! Somebody can help me please?
    >
    > Thanks
    > Reza
    >
    >
    Joe Kaplan \(MVP - ADSI\), May 10, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark

    Impersonation / Kerberos

    Mark, May 6, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    523
    avnrao
    May 7, 2004
  2. Paul Mason

    Kerberos / Authentication to SQL2K

    Paul Mason, Jul 14, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    324
    Paul Mason
    Jul 14, 2004
  3. Shikari Shambu
    Replies:
    0
    Views:
    585
    Shikari Shambu
    Dec 29, 2004
  4. josh

    Kerberos Authentication

    josh, Apr 4, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    1,793
    Bruce Barker
    Apr 4, 2005
  5. =?Utf-8?B?UHJlc3RvbiBQYXJr?=

    Kerberos Delegation Question

    =?Utf-8?B?UHJlc3RvbiBQYXJr?=, Jun 18, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    906
    =?Utf-8?B?UHJlc3RvbiBQYXJr?=
    Jun 18, 2005
Loading...

Share This Page