Kerberose

Discussion in 'ASP .Net Security' started by Reza, May 5, 2005.

  1. Reza

    Reza Guest

    Hi

    I have made a one way trust between my forest and my cutomer's forest. I
    have developed a web application in my forest. My customer tries to connect
    to my web application from his forst, does something in my forest (I have set
    the persmission for him) and comes back to his forest to do something threre.
    The problem is in the last step which fails because it is more than one hop
    and Kerberose does not work across forests. Anybody knows any solution? How
    can I access network resources in 2 different forests through a single web
    application?

    Regards
    Reza
    Reza, May 5, 2005
    #1
    1. Advertising

  2. Reza

    Ken Schaefer Guest

    AFAIK, Kerberos should work across forests, assuming you have the necessary
    forest trusts in place and appropriate delegation is configured (if
    required). How else does a user get access to resources in a remote forest?

    Cheers
    Ken

    --
    Blog: www.adopenstatic.com/cs/blogs/ken/
    Web: www.adopenstatic.com


    "Reza" <> wrote in message
    news:...
    : Hi
    :
    : I have made a one way trust between my forest and my cutomer's forest. I
    : have developed a web application in my forest. My customer tries to
    connect
    : to my web application from his forst, does something in my forest (I have
    set
    : the persmission for him) and comes back to his forest to do something
    threre.
    : The problem is in the last step which fails because it is more than one
    hop
    : and Kerberose does not work across forests. Anybody knows any solution?
    How
    : can I access network resources in 2 different forests through a single web
    : application?
    :
    : Regards
    : Reza
    Ken Schaefer, May 9, 2005
    #2
    1. Advertising

  3. Reza

    Reza Guest

    Thank you Ken:

    The exact scenario is like this: An administrator from the trusted forest
    connects to my web application in the trusting forest. Surely he can do it
    because of the trust. In my web page I tried to impersonate as him and create
    a global group in his forest. Since he is an administrator he must be able to
    do it but here I get an error. I did the same thing through a desktop
    application which I Run As him in my forest (trusting forest) and it works
    fine. Why can't I do it through web? His account is NOT sensitive and can
    not be delegated and my IIS computer is trusted for delegation so everything
    is fine for delegation. Another test is that when I change security in IIS to
    Basic Authentication it works but in Integrated windows it is not working.
    That made me think it is probably because of Kerberos. Documentation says
    delegation for Kerberos needs all computers to be in the same forest. I ran
    the same test in a single forest again with the same result. The error is
    nonspecific: (Operation error) which is raised by Directory Service class of
    ..Net. There is no Access Denied or any other meaningful thing. I am really
    confused!!

    Thanks
    Reza

    "Ken Schaefer" wrote:

    > AFAIK, Kerberos should work across forests, assuming you have the necessary
    > forest trusts in place and appropriate delegation is configured (if
    > required). How else does a user get access to resources in a remote forest?
    >
    > Cheers
    > Ken
    >
    > --
    > Blog: www.adopenstatic.com/cs/blogs/ken/
    > Web: www.adopenstatic.com
    >
    >
    > "Reza" <> wrote in message
    > news:...
    > : Hi
    > :
    > : I have made a one way trust between my forest and my cutomer's forest. I
    > : have developed a web application in my forest. My customer tries to
    > connect
    > : to my web application from his forst, does something in my forest (I have
    > set
    > : the persmission for him) and comes back to his forest to do something
    > threre.
    > : The problem is in the last step which fails because it is more than one
    > hop
    > : and Kerberose does not work across forests. Anybody knows any solution?
    > How
    > : can I access network resources in 2 different forests through a single web
    > : application?
    > :
    > : Regards
    > : Reza
    >
    >
    >
    Reza, May 9, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page