Re: [ActiveDir] Cross-Forest Kerberos Delegation

steve patrick Mon, 01 Jan 2007 14:23:37 -0800

I'm sure..

If you want to ping me off list I can work with you on this....

Let me know what time is good for you this week ( maybe a phone call \ livemeeting and I can also setup something similar to what you havebeforehand )


steve

----- Original Message -----From: "Ken Schaefer" <[EMAIL PROTECTED]>

To: <ActiveDir@mail.activedir.org>
Sent: Monday, January 01, 2007 3:07 AM
Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation


Hi Steve,

Are you sure about this?

I have the ISA Server, IIS Server and App Server in Forest1

If I logon to the client machine using a user from Forest1, then everything
works fine (I can see all the Kerberos stuff happening in Ethereal captures)

If I logon to the client machine using a user from Forest2, then I get an403that appears to come from ISA Server (nothing gets to the IIS server atall).


The above two happen regardless of whether the client machine is in Forest1
or Forest2.

The only thing I can think of is that User2 belongs to a different forest,

and because ISA Server supports constrained delegation only, this isstopping

things from working.

Cheers
Ken

--
www.adopenstatic.com/cs/blogs/ken/

: -----Original Message-----
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of steve patrick
: Sent: Saturday, 30 December 2006 11:11 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
:
: Wow that turned out ugly didnt it?
:
: Basically it should have shown that  all machines are in one domain in
: Forest1 and the user account is in Forest 2 and F1 trusts F2.
:
: Sorry for the long delay  in reply also - I was on vacation ...
:
: Happy New Years!
:
: steve
:
: ----- Original Message -----
: From: "steve patrick" <[EMAIL PROTECTED]>
: To: <ActiveDir@mail.activedir.org>
: Sent: Friday, December 29, 2006 4:07 PM
: Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
:
:
: > Hi Ken
: >
: > Based on your mail you seem to have the following setup:
: >
: >
: > F1--------------------------------------------------------> F2
: >                         | |
: > M1---> ISA---> IIS--->AppServer UserA
: >
: >
: > UserA logs on to M1 and hits the IIS Server which needs to access
: > AppServer with a proper token for UserA
: >
: > In this scenario - constrained delegation will work ok.
: >
: > Perhaps Joe was thinking of the docs which state you have to have the
: IIS
: > Server and the AppServer in the same forest and domain?
: >
: > steve
: >
: >
: >
: > ----- Original Message -----
: > From: "Ken Schaefer" <[EMAIL PROTECTED]>
: > To: <ActiveDir@mail.activedir.org>
: > Sent: Tuesday, December 19, 2006 4:58 PM
: > Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation
: >
: >
: > Hi Joe,
: >
: > Thanks for your comments. Certainly using Basic is easier, and this is
: > mostly
: > what they are doing at the moment. I say mostly because I wasn't
: entirely
: > upfront about the "web server" component in my original diagram. That is
: > actually several dozen different web applications - some of which do not
: > have
: > an option to use Basic (either technical limitation -or- a security
: > standard). The aim of the project is to (a) see if transparent logons
: can
: > be
: > made available to users (i.e. via IWA challenges) and (b) see if SSO can
: > be
: > enabled (so users do not need to authenticate to different applications
: > behind the proxy) and (c) get away from Basic Auth. So I'm going to have
: > to
: > keep looking at Kerberos related solutions :-)
: >
: > Cheers
: > Ken
: >
: > --
: > My Blog: www.adOpenStatic.com/cs/blogs/ken
: >
: >
: > : -----Original Message-----
: > : From: [EMAIL PROTECTED] [mailto:ActiveDir-
: > : [EMAIL PROTECTED] On Behalf Of Joe Kaplan
: > : Sent: Wednesday, 20 December 2006 10:41 AM
: > : To: ActiveDir@mail.activedir.org
: > : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
: > :
: > : My understanding is that you can get the actual protocol transition
: > : logon to
: > : work, but you cannot use delegation (which is what you really need)
: > : because
: > : PT is tied to constrained delegation and it only works in a single
: > : domain,
: > : not even in multiple domains in a forest.  Your understanding is
: > : basically
: > : correct.
: > :
: > : This is a documented limitation and not something I've played with
: > : personally, so I'm not sure if there is more to it than that.
: > :
: > : I honestly don't know if this can be made to work with unconstrained
: > : delegation/kerb auth in IIS, as I've never tried that either.
: However,
: > : giving out unconstrained delegation privileges is a bit icky.
: > :
: > : This may be one of those situations where it is easier to just pass
: the
: > : plaintext credentials around between the tiers using basic auth/SSL
: and
: > : such.
: > :
: > : Joe
: > :
: > : ----- Original Message -----
: > : From: Ken Schaefer
: > : To: ActiveDir@mail.activedir.org
: > : Sent: Tuesday, December 19, 2006 5:29 PM
: > : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation
: > :
: > :
: > : Hi Steve,
: > :
: > : Can you elaborate on this? I'm familiar with what S4U2self is for, but
: > : not
: > : sure how to tell whether I would need it or not. Are you saying below
: > : that
: > : protocol transition can be used cross-forest? I thought protocol
: > : transition
: > : was tied to constrained delegation (in a user/computer account's
: > : properties,
: > : on the delegation tab there is an option that says "any protocol", but
: > : that's
: > : only available in the section for constrained delegation. If that's
: the
: > : case, then how can protocol transition work cross-forest?
: > :
: > : Cheers
: > : Ken
: > :
: > : --
: > : My Blog: www.adOpenStatic.com/cs/blogs/ken
: > :
: > : From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
: > : Sent: Wednesday, 20 December 2006 12:37 AM
: > : To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
: > : Cc: Ken Schaefer
: > : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
: > :
: > : If I understand your scenario correctly ....
: > :
: > : In order for S4U2self ( protocol transition ) to work in this sceanrio
: > : you
: > : will need a 2 way forest  trust.
: > : If you do not need S4U2self you  can get by with the one way trust.
: > :
: > : steve
: > : -------------- Original message --------------
: > : From: "Ken Schaefer" <[EMAIL PROTECTED]>
: > :
: > : > Hi all,
: > : >
: > : > I am looking at a slightly tricky situation, at least for me - I'm
: > : sure
: > : > you
: > : > guys would find this a "walk in the park" :-)
: > : >
: > : > I have a situation where there are two forests (2003 Forest
: > : Functional
: > : > Level). Each contains a single domain. One domain is a resource
: > : domain
: > : > (DomainB), and the other contains the user accounts (DomainA). There
: > : is a
: > : > one-way forest trust, such that the resource forest/ domain trust
: the
: > : user
: > : > forest (and domain).
: > : >
: > : > The situation I have is as follows:
: > : >
: > : > Client ---> ISA Server 2006 ---> Web Server ---> App Server
: > : >
: > : > The user that is logged on to the client is from DomainA. All the
: > : servers
: > : > belong to DomainB. The user's credentials need to be passed from the
: > : web
: > : > server back to the app server. So I could use Basic Authentication
: > : all the
: > : > way through. Or I can try to use Kerberos & delegation.
: > : >
: > : > Now, ISA Server can use protocol transition, so that Client ---> ISA
: > : > Server
: > : > can be something other than Kerberos (e.g. forms authentication),
: > : however
: > : > Protocol Transition then requires the use of constrained delegation.
: > : Am I
: > : > right in thinking that constrained delegation is limited to accounts
: > : in
: > : > the
: > : > same domain? If so, then the fact that the user is in a different
: > : domain
: > : > to
: > : > the ISA Server will cause this to fail.
: > : >
: > : > On the other hand, if I didn't use constrained delegation, just
: > : regular
: > : > delegation (and no protocol transition), does that work across
: > : Forests
: > : > though? I have read conflicting reports on this. I'm having some
: > : > difficulty
: > : > getting it working, so either the answer is "no", or my skills
: aren't
: > : up
: > : > to
: > : > the task (probably the latter, in combination with the former).
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : > --
: > : > My Blog: www.adOpenStatic.com/cs/blogs/ken
: >
: > List info   : http://www.activedir.org/List.aspx
: > List FAQ    : http://www.activedir.org/ListFAQ.aspx
: > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
: > List info   : http://www.activedir.org/List.aspx
: > List FAQ    : http://www.activedir.org/ListFAQ.aspx
: > List archive: http://www.activedir.org/ma/default.aspx
:
: List info   : http://www.activedir.org/List.aspx
: List FAQ    : http://www.activedir.org/ListFAQ.aspx
: List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] Cross-Forest Kerberos Delegation

Reply via email to