Sorry it's me again.
I found this (taken from IIS6 resource kit - Managing a Secure IIS 6.0
Solution):
Constrained delegation is particularly useful in scenarios in which a site
that requires authentication - a site that does not allow anonymous access -
contains content that is housed on a remote UNC file server. With
constrained delegation, you can enable Integrated Windows authentication,
which can use NTLM authentication or send credentials across the network as
a Kerberos token. For more information about Integrated Windows
authentication, see "Integrated Windows Authentication" earlier in this
chapter.
If you do not use constrained delegation but you enable Integrated Windows
authentication, the token that the Web server obtains from the security
infrastructure of Windows does not have sufficient permissions to access
another computer, such as your file server. However, with constrained
delegation and Integrated Windows authentication, the token received by the
Web server from the security infrastructure of Windows is a Kerberos-based
token with permission to access other computers, including the file server.
Essentially, constrained delegation allows an NTLM-based token to be
upgraded to a Kerberos-based token.
Do I missunderstand this? This is what I want todo...
cu
Bjoern
"Bjoern Wolfgardt" <gi***************@removeme-cigate.de> schrieb im
Newsbeitrag news:u1**************@TK2MSFTNGP10.phx.gbl...
Thx,
I thought this is one of the key features of Kerberos (which integrated
authentication will use). And a look at AD Users and Computers on the
delegation tab will show that it requires Kerberos.
Do you have any good articles about this ???
cu
Bjoern
"bruce barker" <no***********@safeco.com> schrieb im Newsbeitrag
news:O%****************@TK2MSFTNGP09.phx.gbl... your scenario will not work with ii5 or iis6.0. a search of this
newsgroup will give you lots of answers.
the short answer is windows authentication does not support delegation
(passing credentials from one server to another) and is limited to the
one hop rule, only a primary token can be passed to a second server. windows
authentication on iis (all versions) gives the thread a secondary
(impersonation) token which can not be used to access any network
resouce.
your only option is basic (which gives iis a primary token), or digest
which supports delegation. digest requires AD and delegation to be enabled
(default is off).
-- bruce (sqlwork.com)
"Bjoern Wolfgardt" <gi***************@removeme-cigate.de> wrote in
message news:#r**************@TK2MSFTNGP09.phx.gbl... Hi NG,
I have written some Apps in ASP.NET that access a SQL Server on
another machine. I never had a problem doing this in IIS5(.1).
Most Apps are Intranet Application where I use the integrated windows
authentication. So my webconfig uses <identity impersonate="true"/>.
My Problem is that I now had to install one app on a Windows 2003 Server.
I tried to run my app but I allways get the error that anonymous access
is not allowed.
So here is what I did right now:
- I tried to create a new AppPool. I assigned the app to the new AppPool. I changed the Identity to 'local system'. I allowed delegation for this
machine (the iis machine). Same Error.
- I configured the AppPool to use my account and added my account to
the local group (IIS_WPG). After that I was prompted to enter my
credentials if I access the website. But my creds are not accepted.
I have to use integrated windows authentication (and it's the only
authentication that is enabled).
If I use simple authentication (I did to test it) all works fine.
btw: Impersonation works. I checked
System.Web.HttpContext.Current.User.Identity.Name and it is the user
that accesses the website.
thx in advance
Bjoern