tricky multi-tier delegation

Discussion in 'ASP .Net Security' started by Pete, Nov 11, 2004.

  1. Pete

    Pete Guest

    Is it possible to implement a 2-tier ASP.NET app with delegation to
    the back-end without authenticating the user at the middle-tier?

    I have IIS running a presentation application that needs to delegate
    Kerberos authentication to a proprietary back-end (non-Windows)
    server. The kicker is that the presentation server is not connected to
    the Authentication Server/KDC, so it cannot authenticate the user. The
    client, presentation server and back-end server are all connected on a
    private LAN, but only the client & back-end are on the intranet. I
    want the client to provide credentials (ticket) to the middle-tier,
    who in turn provides those same credentials to the back-end, without
    the middle-tier doing any authentication himself. I can't find a way
    to do this.

    Thanks,
    Pete
     
    Pete, Nov 11, 2004
    #1
    1. Advertising

  2. Pete

    Ken Schaefer Guest

    I don't think this is possible.

    Kerberos authentication requires that the client get a ticket to access the
    service (the service being IIS). If IIS is using Kerberos authentication, it
    won't accept the ticket unless it can validate it.

    Delegation is then a subsequent step. Here the webserver (IIS) has been
    granted permissions to "act as a the user" - i.e. get a service ticket on
    the user's behalf to access the backend server. To get this ticket, IIS
    needs to communicate with the KDC - but you say this isn't possible.

    What I suppose you can do is have the user supply their credentials using a
    non-HTTP based authentication mechanism (eg a HTML form). Your ASP.NET app
    can pass that to the backend server, which in turn can verify the
    credentials against Active Directory. However, if the backend server is
    expecting a kerberos ticket, then this will be difficult, because the IIS
    box needs to communicate with the KDC to get a ticket on the user's behalf.

    Cheers
    Ken

    "Pete" <> wrote in message
    news:...
    > Is it possible to implement a 2-tier ASP.NET app with delegation to
    > the back-end without authenticating the user at the middle-tier?
    >
    > I have IIS running a presentation application that needs to delegate
    > Kerberos authentication to a proprietary back-end (non-Windows)
    > server. The kicker is that the presentation server is not connected to
    > the Authentication Server/KDC, so it cannot authenticate the user. The
    > client, presentation server and back-end server are all connected on a
    > private LAN, but only the client & back-end are on the intranet. I
    > want the client to provide credentials (ticket) to the middle-tier,
    > who in turn provides those same credentials to the back-end, without
    > the middle-tier doing any authentication himself. I can't find a way
    > to do this.
    >
    > Thanks,
    > Pete
     
    Ken Schaefer, Nov 16, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    2
    Views:
    450
  2. rob

    ASP v2 & 3-tier or 2-tier

    rob, Aug 13, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    411
    Steve C. Orr [MVP, MCSD]
    Aug 13, 2004
  3. NOSPAM

    2 tier to 3 tier?

    NOSPAM, Oct 14, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    432
    =?Utf-8?B?Q293Ym95IChHcmVnb3J5IEEuIEJlYW1lcikgLSBN
    Oct 14, 2004
  4. Replies:
    9
    Views:
    537
    CBFalconer
    Apr 25, 2006
  5. Sam Roberts
    Replies:
    4
    Views:
    316
    Sam Roberts
    May 7, 2008
Loading...

Share This Page