Delegation user's credential from webserver to backend server through terminal service

[culeno]

I have an intranet application within a domain. Following the KB
article: How to configure an ASP.NET application for a delegation
scenario
(http://support.microsoft.com/default.aspx?scid=kb;en-us;810572) allows
us to impersonate user's credential from the web server to the back end
server (SQL and Reporting service server). It works fine if user logs
in within the domain and launch the application.

The problem happens when the users work at home and use Windows 2003
terminal service (not in the same domain as the web app and SQL) to log
on, and then launch the web app. We noticed that the authentication
method is NTLM instead of Kerberos when accessing the web app through
the terminal service (since they don't belong to the same domain).
Maybe this is the reason why the delegation doesn't work anymore? Can
anybody tell me how to make it work?

Thanks.
Jerry

 

[Joe Kaplan \(MVP - ADSI\)]

Delegation is a Kerberos feature, so that would stand to reason. I'd work
with your admins to see if you can get the terminal services machines to use
Kerberos. Otherwise, your strategy won't work in that configuration.

Joe K.

 

[culeno]

Thanks Joe for your answering. Can you point me to some articles on how
to enable Kerberos between two domains (or between a machine and a
domain)?

Jerry

 

[Joe Kaplan \(MVP - ADSI\)]

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

This is the best Kerb paper I know of. You'll probably need some help from
your network and AD admins on this as well. There must at the very least by
a trust relationship between the two domains. That much I know for sure.

Joe K.