Kerberose

R

Reza

Hi

I have made a one way trust between my forest and my cutomer's forest. I
have developed a web application in my forest. My customer tries to connect
to my web application from his forst, does something in my forest (I have set
the persmission for him) and comes back to his forest to do something threre.
The problem is in the last step which fails because it is more than one hop
and Kerberose does not work across forests. Anybody knows any solution? How
can I access network resources in 2 different forests through a single web
application?

Regards
Reza
 
K

Ken Schaefer

AFAIK, Kerberos should work across forests, assuming you have the necessary
forest trusts in place and appropriate delegation is configured (if
required). How else does a user get access to resources in a remote forest?

Cheers
Ken

--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


: Hi
:
: I have made a one way trust between my forest and my cutomer's forest. I
: have developed a web application in my forest. My customer tries to
connect
: to my web application from his forst, does something in my forest (I have
set
: the persmission for him) and comes back to his forest to do something
threre.
: The problem is in the last step which fails because it is more than one
hop
: and Kerberose does not work across forests. Anybody knows any solution?
How
: can I access network resources in 2 different forests through a single web
: application?
:
: Regards
: Reza
 
R

Reza

Thank you Ken:

The exact scenario is like this: An administrator from the trusted forest
connects to my web application in the trusting forest. Surely he can do it
because of the trust. In my web page I tried to impersonate as him and create
a global group in his forest. Since he is an administrator he must be able to
do it but here I get an error. I did the same thing through a desktop
application which I Run As him in my forest (trusting forest) and it works
fine. Why can't I do it through web? His account is NOT sensitive and can
not be delegated and my IIS computer is trusted for delegation so everything
is fine for delegation. Another test is that when I change security in IIS to
Basic Authentication it works but in Integrated windows it is not working.
That made me think it is probably because of Kerberos. Documentation says
delegation for Kerberos needs all computers to be in the same forest. I ran
the same test in a single forest again with the same result. The error is
nonspecific: (Operation error) which is raised by Directory Service class of
..Net. There is no Access Denied or any other meaningful thing. I am really
confused!!

Thanks
Reza
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Security 2
Kerberos 1
NTLM Authentication Across Forests 2
How to effectively develop a web application from scratch? 0
I'm tempted to quit out of frustration 1
What should I do Before I give up programming? 6
Looking to change programming direction 1
I need help in understanding these files on my phone, Could someone help me understand these files? Urgent help needed. Please help. 1

Members online

No members online now.
Total: 26 (members: 0, guests: 26)
Robots: 174

Forum statistics

Threads
473,755
Messages
2,569,534
Members
45,007
Latest member
obedient dusk

Latest Threads

Top