RE: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Steve, Are you sure about this? I have the ISA Server, IIS Server and App Server in Forest1 If I logon to the client machine using a user from Forest1, then everything works fine (I can see all the Kerberos stuff happening in Ethereal captures) If I logon to the client machine using a user from Forest2, then I get an 403 that appears to come from ISA Server (nothing gets to the IIS server at all). The above two happen regardless of whether the client machine is in Forest1 or Forest2. The only thing I can think of is that User2 belongs to a different forest, and because ISA Server supports constrained delegation only, this is stopping things from working. Cheers Ken -- www.adopenstatic.com/cs/blogs/ken/ : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of steve patrick : Sent: Saturday, 30 December 2006 11:11 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : Wow that turned out ugly didnt it? : : Basically it should have shown that all machines are in one domain in : Forest1 and the user account is in Forest 2 and F1 trusts F2. : : Sorry for the long delay in reply also - I was on vacation ... : : Happy New Years! : : steve : : - Original Message - : From: steve patrick [EMAIL PROTECTED] : To: ActiveDir@mail.activedir.org : Sent: Friday, December 29, 2006 4:07 PM : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : : Hi Ken : : Based on your mail you seem to have the following setup: : : : F1 F2 : | | : M1--- ISA--- IIS---AppServer UserA : : : UserA logs on to M1 and hits the IIS Server which needs to access : AppServer with a proper token for UserA : : In this scenario - constrained delegation will work ok. : : Perhaps Joe was thinking of the docs which state you have to have the : IIS : Server and the AppServer in the same forest and domain? : : steve : : : : - Original Message - : From: Ken Schaefer [EMAIL PROTECTED] : To: ActiveDir@mail.activedir.org : Sent: Tuesday, December 19, 2006 4:58 PM : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation : : : Hi Joe, : : Thanks for your comments. Certainly using Basic is easier, and this is : mostly : what they are doing at the moment. I say mostly because I wasn't : entirely : upfront about the web server component in my original diagram. That is : actually several dozen different web applications - some of which do not : have : an option to use Basic (either technical limitation -or- a security : standard). The aim of the project is to (a) see if transparent logons : can : be : made available to users (i.e. via IWA challenges) and (b) see if SSO can : be : enabled (so users do not need to authenticate to different applications : behind the proxy) and (c) get away from Basic Auth. So I'm going to have : to : keep looking at Kerberos related solutions :-) : : Cheers : Ken : : -- : My Blog: www.adOpenStatic.com/cs/blogs/ken : : : : -Original Message- : : From: [EMAIL PROTECTED] [mailto:ActiveDir- : : [EMAIL PROTECTED] On Behalf Of Joe Kaplan : : Sent: Wednesday, 20 December 2006 10:41 AM : : To: ActiveDir@mail.activedir.org : : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : : : My understanding is that you can get the actual protocol transition : : logon to : : work, but you cannot use delegation (which is what you really need) : : because : : PT is tied to constrained delegation and it only works in a single : : domain, : : not even in multiple domains in a forest. Your understanding is : : basically : : correct. : : : : This is a documented limitation and not something I've played with : : personally, so I'm not sure if there is more to it than that. : : : : I honestly don't know if this can be made to work with unconstrained : : delegation/kerb auth in IIS, as I've never tried that either. : However, : : giving out unconstrained delegation privileges is a bit icky. : : : : This may be one of those situations where it is easier to just pass : the : : plaintext credentials around between the tiers using basic auth/SSL : and : : such. : : : : Joe : : : : - Original Message - : : From: Ken Schaefer : : To: ActiveDir@mail.activedir.org : : Sent: Tuesday, December 19, 2006 5:29 PM : : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation : : : : : : Hi Steve, : : : : Can you elaborate on this? I'm familiar with what S4U2self is for, but : : not : : sure how to tell whether I would need it or not. Are you saying below : : that : : protocol transition can be used cross-forest? I thought protocol : : transition : : was tied to constrained delegation (in a user/computer account's : : properties, : : on the delegation tab there is an option that says any protocol, but : : that's : : only
Re: [ActiveDir] Cross-Forest Kerberos Delegation
I'm sure.. If you want to ping me off list I can work with you on this Let me know what time is good for you this week ( maybe a phone call \ live meeting and I can also setup something similar to what you have beforehand ) steve - Original Message - From: Ken Schaefer [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, January 01, 2007 3:07 AM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Steve, Are you sure about this? I have the ISA Server, IIS Server and App Server in Forest1 If I logon to the client machine using a user from Forest1, then everything works fine (I can see all the Kerberos stuff happening in Ethereal captures) If I logon to the client machine using a user from Forest2, then I get an 403 that appears to come from ISA Server (nothing gets to the IIS server at all). The above two happen regardless of whether the client machine is in Forest1 or Forest2. The only thing I can think of is that User2 belongs to a different forest, and because ISA Server supports constrained delegation only, this is stopping things from working. Cheers Ken -- www.adopenstatic.com/cs/blogs/ken/ : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of steve patrick : Sent: Saturday, 30 December 2006 11:11 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : Wow that turned out ugly didnt it? : : Basically it should have shown that all machines are in one domain in : Forest1 and the user account is in Forest 2 and F1 trusts F2. : : Sorry for the long delay in reply also - I was on vacation ... : : Happy New Years! : : steve : : - Original Message - : From: steve patrick [EMAIL PROTECTED] : To: ActiveDir@mail.activedir.org : Sent: Friday, December 29, 2006 4:07 PM : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : : Hi Ken : : Based on your mail you seem to have the following setup: : : : F1 F2 : | | : M1--- ISA--- IIS---AppServer UserA : : : UserA logs on to M1 and hits the IIS Server which needs to access : AppServer with a proper token for UserA : : In this scenario - constrained delegation will work ok. : : Perhaps Joe was thinking of the docs which state you have to have the : IIS : Server and the AppServer in the same forest and domain? : : steve : : : : - Original Message - : From: Ken Schaefer [EMAIL PROTECTED] : To: ActiveDir@mail.activedir.org : Sent: Tuesday, December 19, 2006 4:58 PM : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation : : : Hi Joe, : : Thanks for your comments. Certainly using Basic is easier, and this is : mostly : what they are doing at the moment. I say mostly because I wasn't : entirely : upfront about the web server component in my original diagram. That is : actually several dozen different web applications - some of which do not : have : an option to use Basic (either technical limitation -or- a security : standard). The aim of the project is to (a) see if transparent logons : can : be : made available to users (i.e. via IWA challenges) and (b) see if SSO can : be : enabled (so users do not need to authenticate to different applications : behind the proxy) and (c) get away from Basic Auth. So I'm going to have : to : keep looking at Kerberos related solutions :-) : : Cheers : Ken : : -- : My Blog: www.adOpenStatic.com/cs/blogs/ken : : : : -Original Message- : : From: [EMAIL PROTECTED] [mailto:ActiveDir- : : [EMAIL PROTECTED] On Behalf Of Joe Kaplan : : Sent: Wednesday, 20 December 2006 10:41 AM : : To: ActiveDir@mail.activedir.org : : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : : : My understanding is that you can get the actual protocol transition : : logon to : : work, but you cannot use delegation (which is what you really need) : : because : : PT is tied to constrained delegation and it only works in a single : : domain, : : not even in multiple domains in a forest. Your understanding is : : basically : : correct. : : : : This is a documented limitation and not something I've played with : : personally, so I'm not sure if there is more to it than that. : : : : I honestly don't know if this can be made to work with unconstrained : : delegation/kerb auth in IIS, as I've never tried that either. : However, : : giving out unconstrained delegation privileges is a bit icky. : : : : This may be one of those situations where it is easier to just pass : the : : plaintext credentials around between the tiers using basic auth/SSL : and : : such. : : : : Joe : : : : - Original Message - : : From: Ken Schaefer : : To: ActiveDir@mail.activedir.org : : Sent: Tuesday, December 19, 2006 5:29 PM : : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation : : : : : : Hi Steve
Re: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Ken Based on your mail you seem to have the following setup: F1 F2 | | M1--- ISA--- IIS---AppServer UserA UserA logs on to M1 and hits the IIS Server which needs to access AppServer with a proper token for UserA In this scenario - constrained delegation will work ok. Perhaps Joe was thinking of the docs which state you have to have the IIS Server and the AppServer in the same forest and domain? steve - Original Message - From: Ken Schaefer [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 4:58 PM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Joe, Thanks for your comments. Certainly using Basic is easier, and this is mostly what they are doing at the moment. I say mostly because I wasn't entirely upfront about the web server component in my original diagram. That is actually several dozen different web applications - some of which do not have an option to use Basic (either technical limitation -or- a security standard). The aim of the project is to (a) see if transparent logons can be made available to users (i.e. via IWA challenges) and (b) see if SSO can be enabled (so users do not need to authenticate to different applications behind the proxy) and (c) get away from Basic Auth. So I'm going to have to keep looking at Kerberos related solutions :-) Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Joe Kaplan : Sent: Wednesday, 20 December 2006 10:41 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : My understanding is that you can get the actual protocol transition : logon to : work, but you cannot use delegation (which is what you really need) : because : PT is tied to constrained delegation and it only works in a single : domain, : not even in multiple domains in a forest. Your understanding is : basically : correct. : : This is a documented limitation and not something I've played with : personally, so I'm not sure if there is more to it than that. : : I honestly don't know if this can be made to work with unconstrained : delegation/kerb auth in IIS, as I've never tried that either. However, : giving out unconstrained delegation privileges is a bit icky. : : This may be one of those situations where it is easier to just pass the : plaintext credentials around between the tiers using basic auth/SSL and : such. : : Joe : : - Original Message - : From: Ken Schaefer : To: ActiveDir@mail.activedir.org : Sent: Tuesday, December 19, 2006 5:29 PM : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation : : : Hi Steve, : : Can you elaborate on this? I'm familiar with what S4U2self is for, but : not : sure how to tell whether I would need it or not. Are you saying below : that : protocol transition can be used cross-forest? I thought protocol : transition : was tied to constrained delegation (in a user/computer account's : properties, : on the delegation tab there is an option that says any protocol, but : that's : only available in the section for constrained delegation. If that's the : case, then how can protocol transition work cross-forest? : : Cheers : Ken : : -- : My Blog: www.adOpenStatic.com/cs/blogs/ken : : From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] : Sent: Wednesday, 20 December 2006 12:37 AM : To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org : Cc: Ken Schaefer : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : If I understand your scenario correctly : : In order for S4U2self ( protocol transition ) to work in this sceanrio : you : will need a 2 way forest trust. : If you do not need S4U2self you can get by with the one way trust. : : steve : -- Original message -- : From: Ken Schaefer [EMAIL PROTECTED] : : Hi all, : : I am looking at a slightly tricky situation, at least for me - I'm : sure : you : guys would find this a walk in the park :-) : : I have a situation where there are two forests (2003 Forest : Functional : Level). Each contains a single domain. One domain is a resource : domain : (DomainB), and the other contains the user accounts (DomainA). There : is a : one-way forest trust, such that the resource forest/ domain trust the : user : forest (and domain). : : The situation I have is as follows: : : Client --- ISA Server 2006 --- Web Server --- App Server : : The user that is logged on to the client is from DomainA. All the : servers : belong to DomainB. The user's credentials need to be passed from the : web : server back to the app server. So I could use Basic Authentication : all the : way through. Or I can try to use Kerberos delegation. : : Now, ISA Server can use protocol transition, so that Client --- ISA : Server : can
Re: [ActiveDir] Cross-Forest Kerberos Delegation
Wow that turned out ugly didnt it? Basically it should have shown that all machines are in one domain in Forest1 and the user account is in Forest 2 and F1 trusts F2. Sorry for the long delay in reply also - I was on vacation ... Happy New Years! steve - Original Message - From: steve patrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 4:07 PM Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation Hi Ken Based on your mail you seem to have the following setup: F1 F2 | | M1--- ISA--- IIS---AppServer UserA UserA logs on to M1 and hits the IIS Server which needs to access AppServer with a proper token for UserA In this scenario - constrained delegation will work ok. Perhaps Joe was thinking of the docs which state you have to have the IIS Server and the AppServer in the same forest and domain? steve - Original Message - From: Ken Schaefer [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 4:58 PM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Joe, Thanks for your comments. Certainly using Basic is easier, and this is mostly what they are doing at the moment. I say mostly because I wasn't entirely upfront about the web server component in my original diagram. That is actually several dozen different web applications - some of which do not have an option to use Basic (either technical limitation -or- a security standard). The aim of the project is to (a) see if transparent logons can be made available to users (i.e. via IWA challenges) and (b) see if SSO can be enabled (so users do not need to authenticate to different applications behind the proxy) and (c) get away from Basic Auth. So I'm going to have to keep looking at Kerberos related solutions :-) Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Joe Kaplan : Sent: Wednesday, 20 December 2006 10:41 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : My understanding is that you can get the actual protocol transition : logon to : work, but you cannot use delegation (which is what you really need) : because : PT is tied to constrained delegation and it only works in a single : domain, : not even in multiple domains in a forest. Your understanding is : basically : correct. : : This is a documented limitation and not something I've played with : personally, so I'm not sure if there is more to it than that. : : I honestly don't know if this can be made to work with unconstrained : delegation/kerb auth in IIS, as I've never tried that either. However, : giving out unconstrained delegation privileges is a bit icky. : : This may be one of those situations where it is easier to just pass the : plaintext credentials around between the tiers using basic auth/SSL and : such. : : Joe : : - Original Message - : From: Ken Schaefer : To: ActiveDir@mail.activedir.org : Sent: Tuesday, December 19, 2006 5:29 PM : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation : : : Hi Steve, : : Can you elaborate on this? I'm familiar with what S4U2self is for, but : not : sure how to tell whether I would need it or not. Are you saying below : that : protocol transition can be used cross-forest? I thought protocol : transition : was tied to constrained delegation (in a user/computer account's : properties, : on the delegation tab there is an option that says any protocol, but : that's : only available in the section for constrained delegation. If that's the : case, then how can protocol transition work cross-forest? : : Cheers : Ken : : -- : My Blog: www.adOpenStatic.com/cs/blogs/ken : : From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] : Sent: Wednesday, 20 December 2006 12:37 AM : To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org : Cc: Ken Schaefer : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : If I understand your scenario correctly : : In order for S4U2self ( protocol transition ) to work in this sceanrio : you : will need a 2 way forest trust. : If you do not need S4U2self you can get by with the one way trust. : : steve : -- Original message -- : From: Ken Schaefer [EMAIL PROTECTED] : : Hi all, : : I am looking at a slightly tricky situation, at least for me - I'm : sure : you : guys would find this a walk in the park :-) : : I have a situation where there are two forests (2003 Forest : Functional : Level). Each contains a single domain. One domain is a resource : domain : (DomainB), and the other contains the user accounts (DomainA). There : is a : one-way forest trust, such that the resource forest/ domain trust the : user : forest (and domain). : : The situation I have is as follows: : : Client
Re: [ActiveDir] Cross-Forest Kerberos Delegation
That is what I was thinking of. I couldn't find where I read that and went from memory. Thanks for the clarification. Joe K. - Original Message - From: steve patrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 6:07 PM Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation Hi Ken Based on your mail you seem to have the following setup: F1 F2 | | M1--- ISA--- IIS---AppServer UserA UserA logs on to M1 and hits the IIS Server which needs to access AppServer with a proper token for UserA In this scenario - constrained delegation will work ok. Perhaps Joe was thinking of the docs which state you have to have the IIS Server and the AppServer in the same forest and domain? steve List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Cross-Forest Kerberos Delegation
If I understand your scenario correctly In order for S4U2self ( protocol transition ) to work in this sceanrio you will need a 2 way forest trust. If you do not need S4U2self you can get by with the one way trust. steve -- Original message -- From: Ken Schaefer [EMAIL PROTECTED] Hi all, I am looking at a slightly tricky situation, at least for me - I'm sure you guys would find this a walk in the park :-) I have a situation where there are two forests (2003 Forest Functional Level). Each contains a single domain. One domain is a resource domain (DomainB), and the other contains the user accounts (DomainA). There is a one-way forest trust, such that the resource forest/ domain trust the user forest (and domain). The situation I have is as follows: Client --- ISA Server 2006 --- Web Server --- App Server The user that is logged on to the client is from DomainA. All the servers belong to DomainB. The user's credentials need to be passed from the web server back to the app server. So I could use Basic Authentication all the way through. Or I can try to use Kerberos delegation. Now, ISA Server can use protocol transition, so that Client --- ISA Server can be something other than Kerberos (e.g. forms authentication), however Protocol Transition then requires the use of constrained delegation. Am I right in thinking that constrained delegation is limited to accounts in the same domain? If so, then the fact that the user is in a different domain to the ISA Server will cause this to fail. On the other hand, if I didn't use constrained delegation, just regular delegation (and no protocol transition), does that work across Forests though? I have read conflicting reports on this. I'm having some difficulty getting it working, so either the answer is no, or my skills aren't up to the task (probably the latter, in combination with the former). Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Steve, Can you elaborate on this? I'm familiar with what S4U2self is for, but not sure how to tell whether I would need it or not. Are you saying below that protocol transition can be used cross-forest? I thought protocol transition was tied to constrained delegation (in a user/computer account's properties, on the delegation tab there is an option that says any protocol, but that's only available in the section for constrained delegation. If that's the case, then how can protocol transition work cross-forest? Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken http://www.adopenstatic.com/cs/blogs/ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 20 December 2006 12:37 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Cc: Ken Schaefer Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation If I understand your scenario correctly In order for S4U2self ( protocol transition ) to work in this sceanrio you will need a 2 way forest trust. If you do not need S4U2self you can get by with the one way trust. steve -- Original message -- From: Ken Schaefer [EMAIL PROTECTED] Hi all, I am looking at a slightly tricky situation, at least for me - I'm sure you guys would find this a walk in the park :-) I have a situation where there are two forests (2003 Forest Functional Level). Each contains a single domain. One domain is a resource domain (DomainB), and the other contains the user accounts (DomainA). There is a one-way forest trust, such that the resource forest/ domain trust the user forest (and domain). The situation I have is as follows: Client --- ISA Server 2006 --- Web Server --- App Server The user that is logged on to the client is from DomainA. All the servers belong to DomainB. The user's credentials need to be passed from the web server back to the app server. So I could use Basic Authentication all the way through. Or I can try to use Kerberos delegation. Now, ISA Server can use protocol transition, so that Client --- ISA Server can be something other than Kerberos (e.g. forms authentication), however Protocol Transition then requires the use of constrained delegation. Am I right in thinking that constrained delegation is limited to accounts in the same domain? If so, then the fact that the user is in a different domain to the ISA Server will cause this to fail. On the other hand, if I didn't use constrained delegation, just regular delegation (and no protocol transition), does that work across Forests though? I have read conflicting reports on this. I'm having some difficulty getting it working, so either the answer is no, or my skills aren't up to the task (probably the latter, in combination with the former). Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken
Re: [ActiveDir] Cross-Forest Kerberos Delegation
My understanding is that you can get the actual protocol transition logon to work, but you cannot use delegation (which is what you really need) because PT is tied to constrained delegation and it only works in a single domain, not even in multiple domains in a forest. Your understanding is basically correct. This is a documented limitation and not something I've played with personally, so I'm not sure if there is more to it than that. I honestly don't know if this can be made to work with unconstrained delegation/kerb auth in IIS, as I've never tried that either. However, giving out unconstrained delegation privileges is a bit icky. This may be one of those situations where it is easier to just pass the plaintext credentials around between the tiers using basic auth/SSL and such. Joe - Original Message - From: Ken Schaefer To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 5:29 PM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Steve, Can you elaborate on this? I'm familiar with what S4U2self is for, but not sure how to tell whether I would need it or not. Are you saying below that protocol transition can be used cross-forest? I thought protocol transition was tied to constrained delegation (in a user/computer account's properties, on the delegation tab there is an option that says any protocol, but that's only available in the section for constrained delegation. If that's the case, then how can protocol transition work cross-forest? Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 20 December 2006 12:37 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Cc: Ken Schaefer Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation If I understand your scenario correctly In order for S4U2self ( protocol transition ) to work in this sceanrio you will need a 2 way forest trust. If you do not need S4U2self you can get by with the one way trust. steve -- Original message -- From: Ken Schaefer [EMAIL PROTECTED] Hi all, I am looking at a slightly tricky situation, at least for me - I'm sure you guys would find this a walk in the park :-) I have a situation where there are two forests (2003 Forest Functional Level). Each contains a single domain. One domain is a resource domain (DomainB), and the other contains the user accounts (DomainA). There is a one-way forest trust, such that the resource forest/ domain trust the user forest (and domain). The situation I have is as follows: Client --- ISA Server 2006 --- Web Server --- App Server The user that is logged on to the client is from DomainA. All the servers belong to DomainB. The user's credentials need to be passed from the web server back to the app server. So I could use Basic Authentication all the way through. Or I can try to use Kerberos delegation. Now, ISA Server can use protocol transition, so that Client --- ISA Server can be something other than Kerberos (e.g. forms authentication), however Protocol Transition then requires the use of constrained delegation. Am I right in thinking that constrained delegation is limited to accounts in the same domain? If so, then the fact that the user is in a different domain to the ISA Server will cause this to fail. On the other hand, if I didn't use constrained delegation, just regular delegation (and no protocol transition), does that work across Forests though? I have read conflicting reports on this. I'm having some difficulty getting it working, so either the answer is no, or my skills aren't up to the task (probably the latter, in combination with the former). Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Joe, Thanks for your comments. Certainly using Basic is easier, and this is mostly what they are doing at the moment. I say mostly because I wasn't entirely upfront about the web server component in my original diagram. That is actually several dozen different web applications - some of which do not have an option to use Basic (either technical limitation -or- a security standard). The aim of the project is to (a) see if transparent logons can be made available to users (i.e. via IWA challenges) and (b) see if SSO can be enabled (so users do not need to authenticate to different applications behind the proxy) and (c) get away from Basic Auth. So I'm going to have to keep looking at Kerberos related solutions :-) Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Joe Kaplan : Sent: Wednesday, 20 December 2006 10:41 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : My understanding is that you can get the actual protocol transition : logon to : work, but you cannot use delegation (which is what you really need) : because : PT is tied to constrained delegation and it only works in a single : domain, : not even in multiple domains in a forest. Your understanding is : basically : correct. : : This is a documented limitation and not something I've played with : personally, so I'm not sure if there is more to it than that. : : I honestly don't know if this can be made to work with unconstrained : delegation/kerb auth in IIS, as I've never tried that either. However, : giving out unconstrained delegation privileges is a bit icky. : : This may be one of those situations where it is easier to just pass the : plaintext credentials around between the tiers using basic auth/SSL and : such. : : Joe : : - Original Message - : From: Ken Schaefer : To: ActiveDir@mail.activedir.org : Sent: Tuesday, December 19, 2006 5:29 PM : Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation : : : Hi Steve, : : Can you elaborate on this? I'm familiar with what S4U2self is for, but : not : sure how to tell whether I would need it or not. Are you saying below : that : protocol transition can be used cross-forest? I thought protocol : transition : was tied to constrained delegation (in a user/computer account's : properties, : on the delegation tab there is an option that says any protocol, but : that's : only available in the section for constrained delegation. If that's the : case, then how can protocol transition work cross-forest? : : Cheers : Ken : : -- : My Blog: www.adOpenStatic.com/cs/blogs/ken : : From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] : Sent: Wednesday, 20 December 2006 12:37 AM : To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org : Cc: Ken Schaefer : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : If I understand your scenario correctly : : In order for S4U2self ( protocol transition ) to work in this sceanrio : you : will need a 2 way forest trust. : If you do not need S4U2self you can get by with the one way trust. : : steve : -- Original message -- : From: Ken Schaefer [EMAIL PROTECTED] : : Hi all, : : I am looking at a slightly tricky situation, at least for me - I'm : sure : you : guys would find this a walk in the park :-) : : I have a situation where there are two forests (2003 Forest : Functional : Level). Each contains a single domain. One domain is a resource : domain : (DomainB), and the other contains the user accounts (DomainA). There : is a : one-way forest trust, such that the resource forest/ domain trust the : user : forest (and domain). : : The situation I have is as follows: : : Client --- ISA Server 2006 --- Web Server --- App Server : : The user that is logged on to the client is from DomainA. All the : servers : belong to DomainB. The user's credentials need to be passed from the : web : server back to the app server. So I could use Basic Authentication : all the : way through. Or I can try to use Kerberos delegation. : : Now, ISA Server can use protocol transition, so that Client --- ISA : Server : can be something other than Kerberos (e.g. forms authentication), : however : Protocol Transition then requires the use of constrained delegation. : Am I : right in thinking that constrained delegation is limited to accounts : in : the : same domain? If so, then the fact that the user is in a different : domain : to : the ISA Server will cause this to fail. : : On the other hand, if I didn't use constrained delegation, just : regular : delegation (and no protocol transition), does that work across : Forests : though? I have read conflicting reports on this. I'm having some : difficulty : getting it working, so either the answer is no, or my skills aren't : up : to : the task (probably the latter
[ActiveDir] Cross-Forest Kerberos Delegation
Hi all, I am looking at a slightly tricky situation, at least for me - I'm sure you guys would find this a walk in the park :-) I have a situation where there are two forests (2003 Forest Functional Level). Each contains a single domain. One domain is a resource domain (DomainB), and the other contains the user accounts (DomainA). There is a one-way forest trust, such that the resource forest/ domain trust the user forest (and domain). The situation I have is as follows: Client --- ISA Server 2006 --- Web Server --- App Server The user that is logged on to the client is from DomainA. All the servers belong to DomainB. The user's credentials need to be passed from the web server back to the app server. So I could use Basic Authentication all the way through. Or I can try to use Kerberos delegation. Now, ISA Server can use protocol transition, so that Client --- ISA Server can be something other than Kerberos (e.g. forms authentication), however Protocol Transition then requires the use of constrained delegation. Am I right in thinking that constrained delegation is limited to accounts in the same domain? If so, then the fact that the user is in a different domain to the ISA Server will cause this to fail. On the other hand, if I didn't use constrained delegation, just regular delegation (and no protocol transition), does that work across Forests though? I have read conflicting reports on this. I'm having some difficulty getting it working, so either the answer is no, or my skills aren't up to the task (probably the latter, in combination with the former). Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
