Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Kerberos

Reply
Thread Tools

Kerberos

 
 
Reza
Guest
Posts: n/a
 
      05-09-2005
Hi

An administrator from the trusted forest connects to my web application in
the trusting forest. Surely he can do it because of the trust. In my web
page I tried to impersonate as him and create a global group in his forest.
Since he is an administrator he must be able to do it but here I get an
error. I did the same thing through a desktop application which I Run As him
in my forest (trusting forest) and it works fine. Why can't I do it through
web? His account is NOT (sensitive and can
not be delegated) and my IIS computer is trusted for delegation so everything
is fine for delegation. Another test is that when I change security in IIS to
Basic Authentication it works but in Integrated windows it is not working.
That made me think it is probably because of Kerberos. Documentation says
delegation for Kerberos needs all computers to be in the same forest. I ran
the same test in a single forest again with the same result. The error is
nonspecific: (Operation error) which is raised by Directory Service class of
..Net. There is no Access Denied or any other meaningful thing. I am really
confused!! Somebody can help me please?

Thanks
Reza


 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      05-10-2005
Can you please post the code? That would be very helpful. Also, it helps
to mention S.DS in the subject with issues like this if you want the
Directory Services MVPs to notice.

Another good idea would be to verify whether your DirectoryEntry is getting
mutually authenticated. This requires some COM interop using the
IADsObjectOptions with the ADS_OPTION_MUTUAL_AUTH_STATUS (4) flag passed in.
It will tell you true/false whether you got a kerberos bind or not.

HTH,

Joe K.

"Reza" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi
>
> An administrator from the trusted forest connects to my web application in
> the trusting forest. Surely he can do it because of the trust. In my web
> page I tried to impersonate as him and create a global group in his
> forest.
> Since he is an administrator he must be able to do it but here I get an
> error. I did the same thing through a desktop application which I Run As
> him
> in my forest (trusting forest) and it works fine. Why can't I do it
> through
> web? His account is NOT (sensitive and can
> not be delegated) and my IIS computer is trusted for delegation so
> everything
> is fine for delegation. Another test is that when I change security in IIS
> to
> Basic Authentication it works but in Integrated windows it is not working.
> That made me think it is probably because of Kerberos. Documentation says
> delegation for Kerberos needs all computers to be in the same forest. I
> ran
> the same test in a single forest again with the same result. The error is
> nonspecific: (Operation error) which is raised by Directory Service class
> of
> .Net. There is no Access Denied or any other meaningful thing. I am really
> confused!! Somebody can help me please?
>
> Thanks
> Reza
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos Decrypted - Interesting URLs on how kerberos work ii.unforgiven@gmail.com Computer Security 1 07-04-2006 07:37 AM
Secure ACS, kerberos and SecurID BarBaar Cisco 0 09-10-2004 02:11 PM
Impersonation / Kerberos Mark ASP .Net 1 05-07-2004 04:57 AM
Kerberos/AD authentication config on Cisco 3005 David Cisco 3 01-09-2004 03:29 PM
Kerberos Errors. Rob MCSE 11 10-28-2003 07:12 PM



Advertisments