RE: [ActiveDir] Kerberos Delegation
Speaking of being here next week - keep me informed on the activities... Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, September 21, 2005 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer J ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool with the correct user etc, when I run AuthDiag the only Test Authentication option I get is NTLM, the Server Settings Node though specifies Negotiate,NTLM for that Site. When I check my ISA server I STILL see User Anonymous so I am a bit stumped at the moment !!! YEAH it going to be so cool to meet up with you guys in Redmond next week J C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 20 September 2005 10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt. :-) Anyway, here's the logic I was following. If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user. Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining)the scope of the delegation to the ISA Server. If you look at the Delegation tab of an object in ADUC, you will see the section labeled "Services to which this account can present delegated credentials:" It would seem logical to me to have to specify the ISA here. Now whether you need to do configure this setting in ADUC on the account being used for the identity of the application pool, or the SharePoint server itself I don't know. Cheers Tony PS. See you next week :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, 21 September 2005 1:38 a.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hey Tony, Well can you explain but wouldn't you also need an SPN for the web service on the ISA Server? I dont understand why, the ISA server is the server that is needing the authentication to allow the web server to browse the internet. So to elaborate: I have a Share Point site it has a RSS feed web part, this web part is requesting a RSS feed for example http://www.dirteam.com/blogs/carlos/default.aspx now I monitor on the ISA 2004 server and I see the web server trying to access the internet the user specified = Anonymous. The delegation is so that the user viewing the Share Point site (hence calling the RSS web part) will be the user credentials passed to the ISA server to be able to browse the internet. Thats why I dont see why we need to register a SPN for the ISA server? ThanksC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 20 September 2005 01:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hi Carlos I'm just starting to look at Kerberos delegation for something myself,but wouldn't you also need an SPN for the web service on the ISA Server? And then specify that serviced in the delegation tab on the user object? Cheers Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Tuesday, 20 September 2005 9:31 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos Delegation Hey all, Ok late at night here and Ive hit a mental block (dont laugh Dean). I have set this up like a gazillion times but this time cant get it to work. Environment: Windows 2003 Native Forest Mode All clients Windows XP SP2 and above Single forest single domain setup Web Server Windows Server 2003 Web Edition Share Point Team Services installed. That site has a web part that requires Kerb delegation for access to a ISA firewall in order to stream RSS feeds. I can see on the ISA server that when ever any user hits the site the HTTP request is sent as ANONYMOUS. So what I have done: I
RE: [ActiveDir] Kerberos Delegation
So have you granted domain\IISServer$ access through ISA? Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, September 21, 2005 8:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Well I have some screen shots for you of AuthDiag and of wfetch, if you dont mind I can send it to you offline. This is the weird part, if I use wfetch to connect using Anonymous as authentication I get the web page requested. If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not authorized to view this page. With anonymous connection I get: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM With a specified auth type I dont get any of that (The screen shots explain) AuthDiag still only reports Test Authentication NTLM NO Kerberos. I still have a copy of the old Metabase.xml to prove that it was storing the incorrect settings when IIS MMC was showing something else.. Let me know if I can ping the screen shots to you. Thanks Ken, am I going to get to see you at Redmond? C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken SchaeferSent: 21 September 2005 03:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Odd. If you use WFetch (its in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then somethings up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, 21 September 2005 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer J ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool with the correct user etc, when I run AuthDiag the only Test Authentication option I get is NTLM, the Server Settings Node though specifies Negotiate,NTLM for that Site. When I check my ISA server I STILL see User Anonymous so I am a bit stumped at the moment !!! YEAH it going to be so cool to meet up with you guys in Redmond next week J C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 20 September 2005 10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt. :-) Anyway, here's the logic I was following. If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user. Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining)the scope of the delegation to the ISA Server. If you look at the Delegation tab of an object in ADUC, you will see the section labeled "Services to which this account can present delegated credentials:" It would seem logical to me to have to specify the ISA here. Now whether you need to do configure this setting in ADUC on the account being used for the identity of the application pool, or the SharePoint server itself I don't know. Cheers Tony PS. See you next week :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, 21 September 2005 1:38 a.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hey Tony, Well can you explain but wouldn't you also need an SPN for the web service on the ISA Server? I dont understand why, the ISA server is the server that is needing the authentication to allow the web server to browse the internet. So to elaborate: I have a Share Point site it has a RSS feed web part, thi
RE: [ActiveDir] Kerberos Delegation
Could I ask why hed need to do that? Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, 22 September 2005 4:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation So have you granted domain\IISServer$ access through ISA? Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, September 21, 2005 8:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Well I have some screen shots for you of AuthDiag and of wfetch, if you dont mind I can send it to you offline. This is the weird part, if I use wfetch to connect using Anonymous as authentication I get the web page requested. If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not authorized to view this page. With anonymous connection I get: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM With a specified auth type I dont get any of that (The screen shots explain) AuthDiag still only reports Test Authentication NTLM NO Kerberos. I still have a copy of the old Metabase.xml to prove that it was storing the incorrect settings when IIS MMC was showing something else.. Let me know if I can ping the screen shots to you. Thanks Ken, am I going to get to see you at Redmond? C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: 21 September 2005 03:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Odd. If you use WFetch (its in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then somethings up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 10:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer J ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool with the correct user etc, when I run AuthDiag the only Test Authentication option I get is NTLM, the Server Settings Node though specifies Negotiate,NTLM for that Site. When I check my ISA server I STILL see User Anonymous so I am a bit stumped at the moment !!! YEAH it going to be so cool to meet up with you guys in Redmond next week J C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 10:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt. :-) Anyway, here's the logic I was following. If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user. Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining)the scope of the delegation to the ISA Server. If you look at the Delegation tab of an object in ADUC, you will see the section labeled Services to which this account can present delegated credentials: It would seem logical to me to have to specify the ISA here. Now whether you need to do configure this setting in ADUC on the account being used for the identity of the application pool, or the SharePoint server itself I don't know. Cheers Tony PS. See you next week :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 1:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hey
RE: [ActiveDir] Kerberos Delegation
Hmmm, explain a little more where you would grant this access . Thanks Carlos From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: 22 September 2005 08:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation So have you granted domain\IISServer$ access through ISA? Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, September 21, 2005 8:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Well I have some screen shots for you of AuthDiag and of wfetch, if you dont mind I can send it to you offline. This is the weird part, if I use wfetch to connect using Anonymous as authentication I get the web page requested. If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not authorized to view this page. With anonymous connection I get: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM With a specified auth type I dont get any of that (The screen shots explain) AuthDiag still only reports Test Authentication NTLM NO Kerberos. I still have a copy of the old Metabase.xml to prove that it was storing the incorrect settings when IIS MMC was showing something else.. Let me know if I can ping the screen shots to you. Thanks Ken, am I going to get to see you at Redmond? C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: 21 September 2005 03:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Odd. If you use WFetch (its in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then somethings up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 10:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer J ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool with the correct user etc, when I run AuthDiag the only Test Authentication option I get is NTLM, the Server Settings Node though specifies Negotiate,NTLM for that Site. When I check my ISA server I STILL see User Anonymous so I am a bit stumped at the moment !!! YEAH it going to be so cool to meet up with you guys in Redmond next week J C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 10:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt. :-) Anyway, here's the logic I was following. If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user. Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining)the scope of the delegation to the ISA Server. If you look at the Delegation tab of an object in ADUC, you will see the section labeled Services to which this account can present delegated credentials: It would seem logical to me to have to specify the ISA here. Now whether you need to do configure this setting in ADUC on the account being used for the identity of the application pool, or the SharePoint server itself I don't know. Cheers Tony PS. See you next week :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 1:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir
RE: [ActiveDir] Kerberos Delegation
By default, the IIS app pool and (I believe) sharepoint both run under Network Service. Therefore, when Sharepoint makes the request outbound, it will be making it within the context of the NetworkService account, which means its going to present the server's domain credentials. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken SchaeferSent: Wednesday, September 21, 2005 11:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Could I ask why hed need to do that? Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, 22 September 2005 4:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation So have you granted domain\IISServer$ access through ISA? Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, September 21, 2005 8:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Well I have some screen shots for you of AuthDiag and of wfetch, if you dont mind I can send it to you offline. This is the weird part, if I use wfetch to connect using Anonymous as authentication I get the web page requested. If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not authorized to view this page. With anonymous connection I get: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM With a specified auth type I dont get any of that (The screen shots explain) AuthDiag still only reports Test Authentication NTLM NO Kerberos. I still have a copy of the old Metabase.xml to prove that it was storing the incorrect settings when IIS MMC was showing something else.. Let me know if I can ping the screen shots to you. Thanks Ken, am I going to get to see you at Redmond? C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken SchaeferSent: 21 September 2005 03:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Odd. If you use WFetch (its in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then somethings up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, 21 September 2005 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer J ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool with the correct user etc, when I run AuthDiag the only Test Authentication option I get is NTLM, the Server Settings Node though specifies Negotiate,NTLM for that Site. When I check my ISA server I STILL see User Anonymous so I am a bit stumped at the moment !!! YEAH it going to be so cool to meet up with you guys in Redmond next week J C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 20 September 2005 10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt. :-) Anyway, here's the logic I was following. If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user. Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining)the scope of the delegation to the ISA Server. If you look at the Delegation tab of an object in ADUC, you will see the section labeled "Services to which this account can present delegated credentials:" It would seem logical to
RE: [ActiveDir] Kerberos Delegation
I know next to nothing about ISA. The last time I touchedit it was still called MS Proxy 2.0I'm assuming there's a security group somewhere that is used to control who can do what through the ISA server. Actually, I know there is because I'm part of one at work (just don't know how to configure it). See my response to Ken as to why this would be necessary... Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Thursday, September 22, 2005 2:28 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hmmm, explain a little more where you would grant this access . Thanks Carlos From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: 22 September 2005 08:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation So have you granted domain\IISServer$ access through ISA? Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, September 21, 2005 8:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Well I have some screen shots for you of AuthDiag and of wfetch, if you dont mind I can send it to you offline. This is the weird part, if I use wfetch to connect using Anonymous as authentication I get the web page requested. If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not authorized to view this page. With anonymous connection I get: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM With a specified auth type I dont get any of that (The screen shots explain) AuthDiag still only reports Test Authentication NTLM NO Kerberos. I still have a copy of the old Metabase.xml to prove that it was storing the incorrect settings when IIS MMC was showing something else.. Let me know if I can ping the screen shots to you. Thanks Ken, am I going to get to see you at Redmond? C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken SchaeferSent: 21 September 2005 03:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Odd. If you use WFetch (its in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then somethings up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, 21 September 2005 10:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer J ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool with the correct user etc, when I run AuthDiag the only Test Authentication option I get is NTLM, the Server Settings Node though specifies Negotiate,NTLM for that Site. When I check my ISA server I STILL see User Anonymous so I am a bit stumped at the moment !!! YEAH it going to be so cool to meet up with you guys in Redmond next week J C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 20 September 2005 10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt. :-) Anyway, here's the logic I was following. If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user. Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining)the scope of the delegation to the ISA Server. If you look at the Delegation tab of an object in ADUC, you will see the section
RE: [ActiveDir] Kerberos Delegation
Sharepoint will unless you ignore the recommendations in the setup wizard run under a service account you create for it. You can however ignore the recommendations to make a service account for it when youre setting up the site/portal app pool and it will run under network service. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, September 22, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation By default, the IIS app pool and (I believe) sharepoint both run under Network Service. Therefore, when Sharepoint makes the request outbound, it will be making it within the context of the NetworkService account, which means its going to present the server's domain credentials. Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Wednesday, September 21, 2005 11:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Could I ask why hed need to do that? Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, 22 September 2005 4:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation So have you granted domain\IISServer$ access through ISA? Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, September 21, 2005 8:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Well I have some screen shots for you of AuthDiag and of wfetch, if you dont mind I can send it to you offline. This is the weird part, if I use wfetch to connect using Anonymous as authentication I get the web page requested. If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not authorized to view this page. With anonymous connection I get: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM With a specified auth type I dont get any of that (The screen shots explain) AuthDiag still only reports Test Authentication NTLM NO Kerberos. I still have a copy of the old Metabase.xml to prove that it was storing the incorrect settings when IIS MMC was showing something else.. Let me know if I can ping the screen shots to you. Thanks Ken, am I going to get to see you at Redmond? C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: 21 September 2005 03:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Odd. If you use WFetch (its in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then somethings up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 10:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer J ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool with the correct user etc, when I run AuthDiag the only Test Authentication option I get is NTLM, the Server Settings Node though specifies Negotiate,NTLM for that Site. When I check my ISA server I STILL see User Anonymous so I am a bit stumped at the moment !!! YEAH it going to be so cool to meet up with you guys in Redmond next week J C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 10:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take
RE: [ActiveDir] Kerberos Delegation
Yup I ignored the setup :) I created a service account for the AppPool in AD and set the relevant SPN's for Kerberos delegation, I also enabled that AD account for constrained Delegation. Thanks for you input Brian :) C From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Thu 9/22/2005 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Sharepoint will unless you ignore the recommendations in the setup wizard run under a service account you create for it. You can however ignore the recommendations to make a service account for it when you're setting up the site/portal app pool and it will run under network service. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, September 22, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation By default, the IIS app pool and (I believe) sharepoint both run under Network Service. Therefore, when Sharepoint makes the request outbound, it will be making it within the context of the NetworkService account, which means its going to present the server's domain credentials. Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Wednesday, September 21, 2005 11:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Could I ask why he'd need to do that? Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, 22 September 2005 4:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation So have you granted domain\IISServer$ access through ISA? Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, September 21, 2005 8:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Well I have some screen shots for you of AuthDiag and of wfetch, if you don't mind I can send it to you offline. This is the weird part, if I use wfetch to connect using Anonymous as authentication I get the web page requested. If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not authorized to view this page. With anonymous connection I get: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM With a specified auth type I don't get any of that (The screen shots explain) AuthDiag still only reports Test Authentication NTLM NO Kerberos. I still have a copy of the old Metabase.xml to prove that it was storing the incorrect settings when IIS MMC was showing something else. Let me know if I can ping the screen shots to you. Thanks Ken, am I going to get to see you at Redmond? C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: 21 September 2005 03:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Odd. If you use WFetch (it's in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then something's up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 10:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systems:-) ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer :-) ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool
RE: [ActiveDir] Kerberos Delegation
Yes agreed however I have changed the Identity for the SPS AppPool to a service account that I have created and registered SPN's, it doesn't seem to be accessing ISA with those credentials though I keep see a HTTP request coming through with Anonymous as the user. C From: [EMAIL PROTECTED] on behalf of Roger Seielstad Sent: Thu 9/22/2005 3:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation By default, the IIS app pool and (I believe) sharepoint both run under Network Service. Therefore, when Sharepoint makes the request outbound, it will be making it within the context of the NetworkService account, which means its going to present the server's domain credentials. Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Wednesday, September 21, 2005 11:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Could I ask why he'd need to do that? Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, 22 September 2005 4:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation So have you granted domain\IISServer$ access through ISA? Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, September 21, 2005 8:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Well I have some screen shots for you of AuthDiag and of wfetch, if you don't mind I can send it to you offline. This is the weird part, if I use wfetch to connect using Anonymous as authentication I get the web page requested. If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not authorized to view this page. With anonymous connection I get: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM With a specified auth type I don't get any of that (The screen shots explain) AuthDiag still only reports Test Authentication NTLM NO Kerberos. I still have a copy of the old Metabase.xml to prove that it was storing the incorrect settings when IIS MMC was showing something else. Let me know if I can ping the screen shots to you. Thanks Ken, am I going to get to see you at Redmond? C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: 21 September 2005 03:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Odd. If you use WFetch (it's in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then something's up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 10:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systems:-) ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer :-) ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool with the correct user etc, when I run AuthDiag the only Test Authentication option I get is NTLM, the Server Settings Node though specifies Negotiate,NTLM for that Site. When I check my ISA server I STILL see User - Anonymous so I am a bit stumped at the moment !!! YEAH it going to be so cool to meet up with you guys in Redmond next week :-) C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 10:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos
RE: [ActiveDir] Kerberos Delegation
But isnt the whole point of this thread to get Delegation working? In that case, the Sharepoint/IIS server should be connecting to ISA Server as the end user. Or am I missing something here? Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, 22 September 2005 11:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation By default, the IIS app pool and (I believe) sharepoint both run under Network Service. Therefore, when Sharepoint makes the request outbound, it will be making it within the context of the NetworkService account, which means its going to present the server's domain credentials. Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Wednesday, September 21, 2005 11:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Could I ask why hed need to do that? Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, 22 September 2005 4:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation So have you granted domain\IISServer$ access through ISA? Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, September 21, 2005 8:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Well I have some screen shots for you of AuthDiag and of wfetch, if you dont mind I can send it to you offline. This is the weird part, if I use wfetch to connect using Anonymous as authentication I get the web page requested. If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not authorized to view this page. With anonymous connection I get: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM With a specified auth type I dont get any of that (The screen shots explain) AuthDiag still only reports Test Authentication NTLM NO Kerberos. I still have a copy of the old Metabase.xml to prove that it was storing the incorrect settings when IIS MMC was showing something else.. Let me know if I can ping the screen shots to you. Thanks Ken, am I going to get to see you at Redmond? C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: 21 September 2005 03:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Odd. If you use WFetch (its in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then somethings up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 10:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer J ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool with the correct user etc, when I run AuthDiag the only Test Authentication option I get is NTLM, the Server Settings Node though specifies Negotiate,NTLM for that Site. When I check my ISA server I STILL see User Anonymous so I am a bit stumped at the moment !!! YEAH it going to be so cool to meet up with you guys in Redmond next week J C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 10:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt. :-) Anyway, here's the logic I was following. If I've understood it correctly, you want the server
RE: [ActiveDir] Kerberos Delegation
Odd. If you use WFetch (its in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then somethings up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 10:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer J ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool with the correct user etc, when I run AuthDiag the only Test Authentication option I get is NTLM, the Server Settings Node though specifies Negotiate,NTLM for that Site. When I check my ISA server I STILL see User Anonymous so I am a bit stumped at the moment !!! YEAH it going to be so cool to meet up with you guys in Redmond next week J C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 10:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt. :-) Anyway, here's the logic I was following. If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user. Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining)the scope of the delegation to the ISA Server. If you look at the Delegation tab of an object in ADUC, you will see the section labeled Services to which this account can present delegated credentials: It would seem logical to me to have to specify the ISA here. Now whether you need to do configure this setting in ADUC on the account being used for the identity of the application pool, or the SharePoint server itself I don't know. Cheers Tony PS. See you next week :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 1:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hey Tony, Well can you explain but wouldn't you also need an SPN for the web service on the ISA Server? I dont understand why, the ISA server is the server that is needing the authentication to allow the web server to browse the internet. So to elaborate: I have a Share Point site it has a RSS feed web part, this web part is requesting a RSS feed for example http://www.dirteam.com/blogs/carlos/default.aspx now I monitor on the ISA 2004 server and I see the web server trying to access the internet the user specified = Anonymous. The delegation is so that the user viewing the Share Point site (hence calling the RSS web part) will be the user credentials passed to the ISA server to be able to browse the internet. Thats why I dont see why we need to register a SPN for the ISA server? Thanks C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 01:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hi Carlos I'm just starting to look at Kerberos delegation for something myself,but wouldn't you also need an SPN for the web service on the ISA Server? And then specify that serviced in the delegation tab on the user object? Cheers Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Tuesday, 20 September 2005 9:31 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation Hey all, Ok late at night here and Ive hit a mental block (dont laugh Dean). I have set this up like a gazillion times but this time cant get it to work. Environment: Windows
RE: [ActiveDir] Kerberos Delegation
Well I have some screen shots for you of AuthDiag and of wfetch, if you dont mind I can send it to you offline. This is the weird part, if I use wfetch to connect using Anonymous as authentication I get the web page requested. If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not authorized to view this page. With anonymous connection I get: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM With a specified auth type I dont get any of that (The screen shots explain) AuthDiag still only reports Test Authentication NTLM NO Kerberos. I still have a copy of the old Metabase.xml to prove that it was storing the incorrect settings when IIS MMC was showing something else.. Let me know if I can ping the screen shots to you. Thanks Ken, am I going to get to see you at Redmond? C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: 21 September 2005 03:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Odd. If you use WFetch (its in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then somethings up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you. Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 10:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset I know it seems logical but I KEPT the quotations in there and what it ended up doing was: Negotiate,NTLM ***Note the double quotes And all auth was being defaulted to Anonymous (thank heavens for a network sniffer J ) Even though I fixed these issues and I have made sure my Metabase.xml file is correct with Negotiate,NTLM and with the correct App Pool with the correct user etc, when I run AuthDiag the only Test Authentication option I get is NTLM, the Server Settings Node though specifies Negotiate,NTLM for that Site. When I check my ISA server I STILL see User Anonymous so I am a bit stumped at the moment !!! YEAH it going to be so cool to meet up with you guys in Redmond next week J C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 10:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt. :-) Anyway, here's the logic I was following. If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user. Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining)the scope of the delegation to the ISA Server. If you look at the Delegation tab of an object in ADUC, you will see the section labeled Services to which this account can present delegated credentials: It would seem logical to me to have to specify the ISA here. Now whether you need to do configure this setting in ADUC on the account being used for the identity of the application pool, or the SharePoint server itself I don't know. Cheers Tony PS. See you next week :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 1:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hey Tony, Well can you explain but wouldn't you also need an SPN for the web service on the ISA Server? I dont understand why, the ISA server is the server that is needing the authentication to allow the web server to browse the internet. So to elaborate: I have a Share Point site it has a RSS feed web part, this web part is requesting a RSS feed for example http://www.dirteam.com/blogs/carlos/default.aspx now I monitor on the ISA 2004 server and I see the web server trying to access the internet the user specified = Anonymous. The delegation is so that the user viewing the Share
RE: [ActiveDir] Kerberos Delegation
Hey Tony, Well can you explain but wouldn't you also need an SPN for the web service on the ISA Server? I dont understand why, the ISA server is the server that is needing the authentication to allow the web server to browse the internet. So to elaborate: I have a Share Point site it has a RSS feed web part, this web part is requesting a RSS feed for example http://www.dirteam.com/blogs/carlos/default.aspx now I monitor on the ISA 2004 server and I see the web server trying to access the internet the user specified = Anonymous. The delegation is so that the user viewing the Share Point site (hence calling the RSS web part) will be the user credentials passed to the ISA server to be able to browse the internet. Thats why I dont see why we need to register a SPN for the ISA server? Thanks C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 01:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hi Carlos I'm just starting to look at Kerberos delegation for something myself,but wouldn't you also need an SPN for the web service on the ISA Server? And then specify that serviced in the delegation tab on the user object? Cheers Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Tuesday, 20 September 2005 9:31 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation Hey all, Ok late at night here and Ive hit a mental block (dont laugh Dean). I have set this up like a gazillion times but this time cant get it to work. Environment: Windows 2003 Native Forest Mode All clients Windows XP SP2 and above Single forest single domain setup Web Server Windows Server 2003 Web Edition Share Point Team Services installed. That site has a web part that requires Kerb delegation for access to a ISA firewall in order to stream RSS feeds. I can see on the ISA server that when ever any user hits the site the HTTP request is sent as ANONYMOUS. So what I have done: I have - Set webserver for delegation (Kerb Only) I have - Created username in AD and set for Delegation (Kerb Only) I have - Set the Share Point Portal Application Pools (IIS 6.0) to use the AD user mentioned above for the Identity of the App Pool (rebooted IIS server) a. Purged all tickets as well. I have - registerd a SPN for the -A HTTP DOMAIN\User mentioned Above Still get Anonymous access on the ISA box, and using some normal .net code can see that its not delegating the creds correctly, can anyone see what I am doing wrong or what I should be doing? Thanks I appreciate the help so late in my night J Carlos This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i
RE: [ActiveDir] Kerberos Delegation
Hi Carlos As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt. :-) Anyway, here's the logic I was following. If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user. Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining)the scope of the delegation to the ISA Server. If you look at the Delegation tab of an object in ADUC, you will see the section labeled "Services to which this account can present delegated credentials:" It would seem logical to me to have to specify the ISA here. Now whether you need to do configure this setting in ADUC on the account being used for the identity of the application pool, or the SharePoint server itself I don't know. Cheers Tony PS. See you next week :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, 21 September 2005 1:38 a.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hey Tony, Well can you explain but wouldn't you also need an SPN for the web service on the ISA Server? I dont understand why, the ISA server is the server that is needing the authentication to allow the web server to browse the internet. So to elaborate: I have a Share Point site it has a RSS feed web part, this web part is requesting a RSS feed for example http://www.dirteam.com/blogs/carlos/default.aspx now I monitor on the ISA 2004 server and I see the web server trying to access the internet the user specified = Anonymous. The delegation is so that the user viewing the Share Point site (hence calling the RSS web part) will be the user credentials passed to the ISA server to be able to browse the internet. Thats why I dont see why we need to register a SPN for the ISA server? ThanksC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 20 September 2005 01:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos Delegation Hi Carlos I'm just starting to look at Kerberos delegation for something myself,but wouldn't you also need an SPN for the web service on the ISA Server? And then specify that serviced in the delegation tab on the user object? Cheers Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Tuesday, 20 September 2005 9:31 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos Delegation Hey all, Ok late at night here and Ive hit a mental block (dont laugh Dean). I have set this up like a gazillion times but this time cant get it to work. Environment: Windows 2003 Native Forest Mode All clients Windows XP SP2 and above Single forest single domain setup Web Server Windows Server 2003 Web Edition Share Point Team Services installed. That site has a web part that requires Kerb delegation for access to a ISA firewall in order to stream RSS feeds. I can see on the ISA server that when ever any user hits the site the HTTP request is sent as ANONYMOUS. So what I have done: I have - Set webserver for delegation (Kerb Only) I have - Created username in AD and set for Delegation (Kerb Only) I have - Set the Share Point Portal Application Pools (IIS 6.0) to use the AD user mentioned above for the Identity of the App Pool (rebooted IIS server) a. Purged all tickets as well. I have - registerd a SPN for the -A HTTP DOMAIN\User mentioned Above Still get Anonymous access on the ISA box, and using some normal .net code can see that its not delegating the creds correctly, can anyone see what I am doing wrong or what I should be doing? Thanks I appreciate the help so late in my night J Carlos This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i
[ActiveDir] Kerberos Delegation
Hey all, Ok late at night here and Ive hit a mental block (dont laugh Dean). I have set this up like a gazillion times but this time cant get it to work. Environment: Windows 2003 Native Forest Mode All clients Windows XP SP2 and above Single forest single domain setup Web Server Windows Server 2003 Web Edition Share Point Team Services installed. That site has a web part that requires Kerb delegation for access to a ISA firewall in order to stream RSS feeds. I can see on the ISA server that when ever any user hits the site the HTTP request is sent as ANONYMOUS. So what I have done: I have - Set webserver for delegation (Kerb Only) I have - Created username in AD and set for Delegation (Kerb Only) I have - Set the Share Point Portal Application Pools (IIS 6.0) to use the AD user mentioned above for the Identity of the App Pool (rebooted IIS server) a. Purged all tickets as well. I have - registerd a SPN for the -A HTTP DOMAIN\User mentioned Above Still get Anonymous access on the ISA box, and using some normal .net code can see that its not delegating the creds correctly, can anyone see what I am doing wrong or what I should be doing? Thanks I appreciate the help so late in my night J Carlos
RE: [ActiveDir] Kerberos Delegation
Hi Carlos I'm just starting to look at Kerberos delegation for something myself,but wouldn't you also need an SPN for the web service on the ISA Server? And then specify that serviced in the delegation tab on the user object? Cheers Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Tuesday, 20 September 2005 9:31 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos Delegation Hey all, Ok late at night here and Ive hit a mental block (dont laugh Dean). I have set this up like a gazillion times but this time cant get it to work. Environment: Windows 2003 Native Forest Mode All clients Windows XP SP2 and above Single forest single domain setup Web Server Windows Server 2003 Web Edition Share Point Team Services installed. That site has a web part that requires Kerb delegation for access to a ISA firewall in order to stream RSS feeds. I can see on the ISA server that when ever any user hits the site the HTTP request is sent as ANONYMOUS. So what I have done: I have - Set webserver for delegation (Kerb Only) I have - Created username in AD and set for Delegation (Kerb Only) I have - Set the Share Point Portal Application Pools (IIS 6.0) to use the AD user mentioned above for the Identity of the App Pool (rebooted IIS server) a. Purged all tickets as well. I have - registerd a SPN for the -A HTTP DOMAIN\User mentioned Above Still get Anonymous access on the ISA box, and using some normal .net code can see that its not delegating the creds correctly, can anyone see what I am doing wrong or what I should be doing? Thanks I appreciate the help so late in my night J Carlos This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i
RE: [ActiveDir] Kerberos Delegation
Carlos, If I understand the situation correctly you are going client - Sharepoint IIS server - ISA server. It sounds like you need to pass the client's kerberos credentials all the way to the ISA box. If that is correct, here is what I would try... Client Browser: IE6SP1 will not negotiate kerberos by default. You need to set the integrated authentication value as detailed in KB299838. Sharepoint IIS Server: The default Sharepoint install disables kerberos by default (see KB823265 - this is an exchange article but it documents the default sharepoint install behavior). See KB832769 for directions on how to enable kerberos for sharepoint. We did the following to allow the default website to use kerberos: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset Next, setup the application pool service account to permit delegation (ADUC) "account is trusted for delegation" After this, you need to add an SPN to the service account that you setup to run the application pool: Setspn A HTTP/fqdnofyourserveryourdomain\youraccount At this point your client should negotiate kerberos when it connects to the SPS server. You can verify this with kerbtray from the resource kit. You should see a ticket for the application pool service account. If you connect to the SPS site by any other URLs other than the FQDN (i.e. the netbios name of the server or some other internal namespace URL - sps.app.local, etc) you will need to add additional SPNs to the application pool service account: Setspn A HTTP/netbiosservernameyourdomain\youraccount Setspn A HTTP/sps.app.localyourdomain\youraccount Again, after you do this you shold be able to access the site by any of the three URLs (server FQDN, server netbios, other namespace URL) and see the ticket for the application pool service account in kerbtray. In my case the sharepoint server was the endpoint of the connection trailbut once you get to the SPS server with kerberos you should be able to hop again to the ISA box. Hope this helps - it may be a repeat of what you have already done. This is an extract of the doc that I wrote for myself when I had to figure this out. You amy also want to take a peek at the ISA box to see if the ISA install also turned off Kerberos. I don't know about this one because I have never had to look at that one... Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Monday, September 19, 2005 5:31 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos Delegation Hey all, Ok late at night here and Ive hit a mental block (dont laugh Dean). I have set this up like a gazillion times but this time cant get it to work. Environment: Windows 2003 Native Forest Mode All clients Windows XP SP2 and above Single forest single domain setup Web Server Windows Server 2003 Web Edition Share Point Team Services installed. That site has a web part that requires Kerb delegation for access to a ISA firewall in order to stream RSS feeds. I can see on the ISA server that when ever any user hits the site the HTTP request is sent as ANONYMOUS. So what I have done: I have - Set webserver for delegation (Kerb Only) I have - Created username in AD and set for Delegation (Kerb Only) I have - Set the Share Point Portal Application Pools (IIS 6.0) to use the AD user mentioned above for the Identity of the App Pool (rebooted IIS server) a. Purged all tickets as well. I have - registerd a SPN for the -A HTTP DOMAIN\User mentioned Above Still get Anonymous access on the ISA box, and using some normal .net code can see that its not delegating the creds correctly, can anyone see what I am doing wrong or what I should be doing? Thanks I appreciate the help so late in my night J Carlos
RE: [ActiveDir] Kerberos Delegation
One addition: IE will not attempt to negotiate Kerberos Auth if is the site is in the Internet Security Zone (which sites accessed by FQDN are by default). Add the site to the local Intranet zone. Some other thoughts: If NTLM is not desired (i.e. Kerberos only), then you can set the Auth Providers key to Negotiate only, rather than Negotiate,NTLM. That will stop IE from using NTLM KB299838 only applies to IE5 upgraded to IE6 AFAIK, so if you have, say, Windows XP that comes OOB with IE6, then the checkbox mentioned is already checked (by default). Lastly, if Kerberos isnt an option (e.g. users out on the Internet), then if you have a Windows 2003 Domain, Protocol Transition may be a possibility (but Ive never set that up on a Sharepoint box, so I cant say with 100% certainty that itll work): http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx But in OPs case, I think the first thing to check is the Auth Providers key, since Sharepoint does set that to NTLM by default (as mentioned below) Cheers Ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, 20 September 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Carlos, If I understand the situation correctly you are going client - Sharepoint IIS server - ISA server. It sounds like you need to pass the client's kerberos credentials all the way to the ISA box. If that is correct, here is what I would try... Client Browser: IE6SP1 will not negotiate kerberos by default. You need to set the integrated authentication value as detailed in KB299838. Sharepoint IIS Server: The default Sharepoint install disables kerberos by default (see KB823265 - this is an exchange article but it documents the default sharepoint install behavior). See KB832769 for directions on how to enable kerberos for sharepoint. We did the following to allow the default website to use kerberos: Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders Negotiate,NTLM Iisreset Next, setup the application pool service account to permit delegation (ADUC) account is trusted for delegation After this, you need to add an SPN to the service account that you setup to run the application pool: Setspn A HTTP/fqdnofyourserveryourdomain\youraccount At this point your client should negotiate kerberos when it connects to the SPS server. You can verify this with kerbtray from the resource kit. You should see a ticket for the application pool service account. If you connect to the SPS site by any other URLs other than the FQDN (i.e. the netbios name of the server or some other internal namespace URL - sps.app.local, etc) you will need to add additional SPNs to the application pool service account: Setspn A HTTP/netbiosservernameyourdomain\youraccount Setspn A HTTP/sps.app.localyourdomain\youraccount Again, after you do this you shold be able to access the site by any of the three URLs (server FQDN, server netbios, other namespace URL) and see the ticket for the application pool service account in kerbtray. In my case the sharepoint server was the endpoint of the connection trailbut once you get to the SPS server with kerberos you should be able to hop again to the ISA box. Hope this helps - it may be a repeat of what you have already done. This is an extract of the doc that I wrote for myself when I had to figure this out. You amy also want to take a peek at the ISA box to see if the ISA install also turned off Kerberos. I don't know about this one because I have never had to look at that one... Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, September 19, 2005 5:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation Hey all, Ok late at night here and Ive hit a mental block (dont laugh Dean). I have set this up like a gazillion times but this time cant get it to work. Environment: Windows 2003 Native Forest Mode All clients Windows XP SP2 and above Single forest single domain setup Web Server Windows Server 2003 Web Edition Share Point Team Services installed. That site has a web part that requires Kerb delegation for access to a ISA firewall in order to stream RSS feeds. I can see on the ISA server that when ever any user hits the site the HTTP request is sent as ANONYMOUS. So what I have done: I have - Set webserver for delegation (Kerb Only) I have - Created username in AD and set for Delegation (Kerb Only) I have - Set the Share Point Portal Application Pools (IIS 6.0) to use the AD user mentioned above for the Identity of the App Pool (rebooted IIS server) a. Purged all tickets as well. I have - registerd a SPN for the -A HTTP DOMAIN\User mentioned Above Still get
[ActiveDir] Kerberos Delegation
We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... Anytime you allow someone or something to impersonate, err, act on behalf of another security principal, there is always cause for concern. Constrained delegation certainly provides some flexibility in achieving this goal and fulfilling the applications need, but like any Domain Admin in your forest the developer and the application must be trusted. I would recommend clear documentation as to the architecture of the application, how and with what other systems it interoperates, and if you have the wherewithal (or can bring in someone who does) a code review to ensure that what is defined is accurate. I know this seems a little over-the-top, but we are taking about you accepting someone else walking around with my ID and saying he told me it was OK that I access fill in the blank on his behalf. Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 1:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Bob, Make no mistake - I'm really not a fan of allowing Act as part of the operating system or the Impersonation privilege. That being said - from the work that I have done with other web developers needing access to SQL or application servers, constrained delegation is the best method that I have seen available - IF it is done correctly. As I suspect you know (and the reason for your asking) it' all about the level of comfort with the solution. However, just the very configuration sets up two things that I like very much. One - in the old(er)methods of delegation, Alice authNs to server Bob, which then impersonates Alice to SQL Server. Bob is then the authenticator to the destination, SQL Server - not Alice, which causes a bit of problem - Trust. Can you trust Server Bob, or the administrator, or who else might have control of server Bob? Maybe not. Auditing, too, becomes a problem. Model two involves, again Alice AuthN to Server Bob, Server Bob authNs to the SQL server as Alice. Server Bob, in and of itself has no permissions to the SQL server and we see that the audit logs show access by Alice - not Bob. Big mitigation in relation to authN. Alice is allowed, not Server Bob. Server Bob is still allowed to do some role based authN and authZ. Now, let's add the constrained delegation. Pretty much the same thing as model two - except we are allowed to limit the scope of servers, services, ports, etc. that the delegated request is able to talk to. There is no completely safe solution when we involve impersonation. However, Security is Risk Management. Without having a complete, holistic view of the entire solution and environment, I can't really tell you what your risk will be. What I can say is that if Plain Text is 100% Risk, and Act As Operating System is 30%, this is 10%. As to the AD perspective - not much at all that I'm aware of. As to the desirability, I'd prefer this method over any of the others that have been presented of late - short of two-factor. If you haven't seen this: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ security/constdel.mspx Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Do you have details on the accounts that will be delegated? With constrained delegation, it is pretty straightforward to limit which accounts can delegate to which other services, but you might want to be very careful about limiting who gets delegated. One really good idea is marking all the domain admin accounts as sensitive and cannot be delegated for example. From there, you might also consider adding additional accounts. From a business perspective, a lot of times implementing a delegation scenario is much preferable to the alternatives. Here, the dev would probably have to hit the other SQL boxes with a service account and would lose the ability to enforce the same security model in place with SQL which is not good. My $0.02, Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... That's the point of my query, I certainly don't understand all I know about it and we have never allowed it, at this point I have just begun to scratch the surface. I was totally uncomfortable when it was first proposed and threw up the stop sign. I'm getting less comfortable by the minute as I read more about it. I'm reading the Kerberos Protocol Transition and Constrained Delegation article and the Troubleshooting Kerberos Delegation white paper and like I said, trying to understand all I know about it ;-( Everyone's comments so far are immensely appreciated. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... Anytime you allow someone or something to impersonate, err, act on behalf of another security principal, there is always cause for concern. Constrained delegation certainly provides some flexibility in achieving this goal and fulfilling the applications need, but like any Domain Admin in your forest the developer and the application must be trusted. I would recommend clear documentation as to the architecture of the application, how and with what other systems it interoperates, and if you have the wherewithal (or can bring in someone who does) a code review to ensure that what is defined is accurate. I know this seems a little over-the-top, but we are taking about you accepting someone else walking around with my ID and saying he told me it was OK that I access fill in the blank on his behalf. Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 1:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Rick, I agree with your points on CD, but what are you talking about here with Act as part of the operating system? That doesn't need to get enabled anywhere to use constrained delegation. Generally, that only tends to get added to accounts on Windows 2000 that need to call the LogonUser API, but it is not needed for that on XP or 2003. The other reason is it sometimes needs is when a process wants to directly create a security token for a user with impersonation privileges via Kerberos S4U (protocol transition). However, this is not normally the case unless protocol transition is being done programmatically. The automatic version of protocol transition doesn't need this. If you were just using that as an example of a bad setting choice to have to make, then I get it. I just wanted to make sure there was no cross up. Thanks! Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Bob, Make no mistake - I'm really not a fan of allowing Act as part of the operating system or the Impersonation privilege. That being said - from the work that I have done with other web developers needing access to SQL or application servers, constrained delegation is the best method that I have seen available - IF it is done correctly. As I suspect you know (and the reason for your asking) it' all about the level of comfort with the solution. However, just the very configuration sets up two things that I like very much. One - in the old(er)methods of delegation, Alice authNs to server Bob, which then impersonates Alice to SQL Server. Bob is then the authenticator to the destination, SQL Server - not Alice, which causes a bit of problem - Trust. Can you trust Server Bob, or the administrator, or who else might have control of server Bob? Maybe not. Auditing, too, becomes a problem. Model two involves, again Alice AuthN to Server Bob, Server Bob authNs to the SQL server as Alice. Server Bob, in and of itself has no permissions to the SQL server and we see that the audit logs show access by Alice - not Bob. Big mitigation in relation to authN. Alice is allowed, not Server Bob. Server Bob is still allowed to do some role based authN and authZ. Now, let's add the constrained delegation. Pretty much the same thing as model two - except we are allowed to limit the scope of servers, services, ports, etc. that the delegated request is able to talk to. There is no completely safe solution when we involve impersonation. However, Security is Risk Management. Without having a complete, holistic view of the entire solution and environment, I can't really tell you what your risk will be. What I can say is that if Plain Text is 100% Risk, and Act As Operating System is 30%, this is 10%. As to the AD perspective - not much at all that I'm aware of. As to the desirability, I'd prefer this method over any of the others that have been presented of late - short of two-factor. If you haven't seen this: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/ security/constdel.mspx Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited
RE: [ActiveDir] Kerberos Delegation
Bob, As Rick and Joe mentioned, as far as allowing a system to do something on behalf of a user, constrained delegation is a pretty good solution. Your developers need as I understand it is as follows: User connects to a front application server (i.e. web server) and authenticates to that server using Kerberos. The application needs to be able to contact multiple different SQL servers to perform a distributed query. If the application where to do with a service account, the response to the query would likely contain all of the information that the service account had that matched the query - this might contain more or less information than the user making the request has access to. In addition the audit trail on the SQL server should reflect that the application server made the access to the SQL server as opposed to the user. Using constrained delegation, the application server is provided the capability to act as the user when interacting with the identified SQL servers (only). If done properly, the application server will be delegated in a manner that explicitly identifies the SQL servers Service Principal names (which include port numbers) associated with each SQL computers object in the directory. Therefore the application server CAN impersonate the user but under the constraint that it may only occur when communicating with the remote server/service/port as named in the delegation. In your case the risk should be relatively low so long as your developer has a vested interest in the integrity of the data on the SQL servers. The only abuse of this specific configuration that I can think off the top of my head would be possibility for the developer to execute a stored procedure on the SQL server with more rights than he or she would typically have thereby gaining access to or altering data in the DB that they would otherwise not have access to. Now if your developer starts asking for constrained delegation from the application server to a DC, we should talk some more. :) Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 2:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... That's the point of my query, I certainly don't understand all I know about it and we have never allowed it, at this point I have just begun to scratch the surface. I was totally uncomfortable when it was first proposed and threw up the stop sign. I'm getting less comfortable by the minute as I read more about it. I'm reading the Kerberos Protocol Transition and Constrained Delegation article and the Troubleshooting Kerberos Delegation white paper and like I said, trying to understand all I know about it ;-( Everyone's comments so far are immensely appreciated. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... Anytime you allow someone or something to impersonate, err, act on behalf of another security principal, there is always cause for concern. Constrained delegation certainly provides some flexibility in achieving this goal and fulfilling the applications need, but like any Domain Admin in your forest the developer and the application must be trusted. I would recommend clear documentation as to the architecture of the application, how and with what other systems it interoperates, and if you have the wherewithal (or can bring in someone who does) a code review to ensure that what is defined is accurate. I know this seems a little over-the-top, but we are taking about you accepting someone else walking around with my ID and saying he told me it was OK that I access fill in the blank on his behalf. Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 1:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from
RE: [ActiveDir] Kerberos Delegation
Correct - we're on the same page. Simply an example of things that I don't like that have been used in the past to allow systems to act upon another by issuing token-based methods. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 09, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Rick, I agree with your points on CD, but what are you talking about here with Act as part of the operating system? That doesn't need to get enabled anywhere to use constrained delegation. Generally, that only tends to get added to accounts on Windows 2000 that need to call the LogonUser API, but it is not needed for that on XP or 2003. The other reason is it sometimes needs is when a process wants to directly create a security token for a user with impersonation privileges via Kerberos S4U (protocol transition). However, this is not normally the case unless protocol transition is being done programmatically. The automatic version of protocol transition doesn't need this. If you were just using that as an example of a bad setting choice to have to make, then I get it. I just wanted to make sure there was no cross up. Thanks! Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Bob, Make no mistake - I'm really not a fan of allowing Act as part of the operating system or the Impersonation privilege. That being said - from the work that I have done with other web developers needing access to SQL or application servers, constrained delegation is the best method that I have seen available - IF it is done correctly. As I suspect you know (and the reason for your asking) it' all about the level of comfort with the solution. However, just the very configuration sets up two things that I like very much. One - in the old(er)methods of delegation, Alice authNs to server Bob, which then impersonates Alice to SQL Server. Bob is then the authenticator to the destination, SQL Server - not Alice, which causes a bit of problem - Trust. Can you trust Server Bob, or the administrator, or who else might have control of server Bob? Maybe not. Auditing, too, becomes a problem. Model two involves, again Alice AuthN to Server Bob, Server Bob authNs to the SQL server as Alice. Server Bob, in and of itself has no permissions to the SQL server and we see that the audit logs show access by Alice - not Bob. Big mitigation in relation to authN. Alice is allowed, not Server Bob. Server Bob is still allowed to do some role based authN and authZ. Now, let's add the constrained delegation. Pretty much the same thing as model two - except we are allowed to limit the scope of servers, services, ports, etc. that the delegated request is able to talk to. There is no completely safe solution when we involve impersonation. However, Security is Risk Management. Without having a complete, holistic view of the entire solution and environment, I can't really tell you what your risk will be. What I can say is that if Plain Text is 100% Risk, and Act As Operating System is 30%, this is 10%. As to the AD perspective - not much at all that I'm aware of. As to the desirability, I'd prefer this method over any of the others that have been presented of late - short of two-factor. If you haven't seen this: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/ security/constdel.mspx Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http
RE: [ActiveDir] Kerberos Delegation
Aric- (Also trying to answer Joe K's questions) The developer owns all 3 of the SQL servers involved so he definitely has a vested interest in the integrity of the data on the SQL servers. SQL server runs under a domain service account only used on them. They just wanted me to create the SPN's for the domain account the service runs under and tick the Account is trusted for delegation on the service account and Computer is trusted for delegation on the SQL servers' machine accounts. Seemed to me the proper way would be to utilize Trust this computer for delegation to specified services only to set up the middle tier service account to be only able to talk to the back end SQL servers' services and configure the account to use constrained delegation without protocol transition by selecting Use Kerberos Only. It also seemed like only the middle tier needed to have the machine account trusted for delegation and, finally, that it would be better to run the backend server under a separate service account with it's own SPN's. Am I close? Joe- Your point about the limiting the accounts by marking sensitive and cannot be delegated is well taken. As soon as I started looking at this can of worms, that occurred to me immediately. Thanks again Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Bob, As Rick and Joe mentioned, as far as allowing a system to do something on behalf of a user, constrained delegation is a pretty good solution. Your developers need as I understand it is as follows: User connects to a front application server (i.e. web server) and authenticates to that server using Kerberos. The application needs to be able to contact multiple different SQL servers to perform a distributed query. If the application where to do with a service account, the response to the query would likely contain all of the information that the service account had that matched the query - this might contain more or less information than the user making the request has access to. In addition the audit trail on the SQL server should reflect that the application server made the access to the SQL server as opposed to the user. Using constrained delegation, the application server is provided the capability to act as the user when interacting with the identified SQL servers (only). If done properly, the application server will be delegated in a manner that explicitly identifies the SQL servers Service Principal names (which include port numbers) associated with each SQL computers object in the directory. Therefore the application server CAN impersonate the user but under the constraint that it may only occur when communicating with the remote server/service/port as named in the delegation. In your case the risk should be relatively low so long as your developer has a vested interest in the integrity of the data on the SQL servers. The only abuse of this specific configuration that I can think off the top of my head would be possibility for the developer to execute a stored procedure on the SQL server with more rights than he or she would typically have thereby gaining access to or altering data in the DB that they would otherwise not have access to. Now if your developer starts asking for constrained delegation from the application server to a DC, we should talk some more. :) Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 2:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... That's the point of my query, I certainly don't understand all I know about it and we have never allowed it, at this point I have just begun to scratch the surface. I was totally uncomfortable when it was first proposed and threw up the stop sign. I'm getting less comfortable by the minute as I read more about it. I'm reading the Kerberos Protocol Transition and Constrained Delegation article and the Troubleshooting Kerberos Delegation white paper and like I said, trying to understand all I know about it ;-( Everyone's comments so far are immensely appreciated. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... Anytime you allow someone or something to impersonate, err, act on behalf of another security principal, there is always cause for concern. Constrained delegation certainly provides some flexibility in achieving
RE: [ActiveDir] Kerberos Delegation
You may want to have Kerberos authentication all the way through, rather than using Protocol Transition. At least in the IIS world, protocol transition involves running your worker processes as LocalSystem rather than any other account, which is yet another security issue you need to manage. Cheers Ken www.adOpenStatic.com/cs/blogs/ken/ : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Free, Bob : Sent: Wednesday, 10 August 2005 7:33 AM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kerberos Delegation : : Assuming that you are aware of what constrained delegation is, how it : operates, and what it should be used for... : : That's the point of my query, I certainly don't understand all I know : about it and we have never allowed it, at this point I have just begun : to scratch the surface. I was totally uncomfortable when it was first : proposed and threw up the stop sign. I'm getting less comfortable by the : minute as I read more about it. : : I'm reading the Kerberos Protocol Transition and Constrained Delegation : article and the Troubleshooting Kerberos Delegation white paper and like : I said, trying to understand all I know about it ;-( : : Everyone's comments so far are immensely appreciated. : : Thanks : : Bob : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric : Sent: Tuesday, August 09, 2005 1:38 PM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kerberos Delegation : : Assuming that you are aware of what constrained delegation is, how it : operates, and what it should be used for... : : Anytime you allow someone or something to impersonate, err, act on : behalf of another security principal, there is always cause for concern. : Constrained delegation certainly provides some flexibility in achieving : this goal and fulfilling the applications need, but like any Domain : Admin in your forest the developer and the application must be trusted. : : I would recommend clear documentation as to the architecture of the : application, how and with what other systems it interoperates, and if : you have the wherewithal (or can bring in someone who does) a code : review to ensure that what is defined is accurate. : : I know this seems a little over-the-top, but we are taking about you : accepting someone else walking around with my ID and saying he told me : it was OK that I access fill in the blank on his behalf. : : Regards, : : Aric Bernard : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob : Sent: Tuesday, August 09, 2005 1:07 PM : To: ActiveDir@mail.activedir.org : Subject: [ActiveDir] Kerberos Delegation : : We have a developer who wants us to allow delegation for a couple of SQL : servers and their service accounts so he can do distributed queries : across linked servers. This is new ground for us from an AD perspective : that I have just started researching and I'd like to hear other's : thoughts, policies etc. : : We are at 2003 functional level so from what I read, we can allow : constrained delegation which is much better than un-constrained but most : of the comments I come across indicate this isn't something to be taken : lightly, has serious security ramifications, policies should be in place : etc etc.. : : I can find a reasonable amount of information from the developers : point-of-view, and I can see how to implement it technically (I think) : but not a whole lot from the AD admin's perspective, especially as it : pertains to the desirability of allowing it and how best to manage it if : it is allowed. : : Any info greatly appreciated. : : Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Agreed here. If you don't need protocol transition, don't use it. This normally only comes up in situations where you have to use Basic auth on the web tier for an Internet-based scenario or something like that. If the web server can use IWA, then you can go Kerberos end to end. Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, August 09, 2005 6:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation You may want to have Kerberos authentication all the way through, rather than using Protocol Transition. At least in the IIS world, protocol transition involves running your worker processes as LocalSystem rather than any other account, which is yet another security issue you need to manage. Cheers Ken www.adOpenStatic.com/cs/blogs/ken/ : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Free, Bob : Sent: Wednesday, 10 August 2005 7:33 AM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kerberos Delegation : : Assuming that you are aware of what constrained delegation is, how it : operates, and what it should be used for... : : That's the point of my query, I certainly don't understand all I know : about it and we have never allowed it, at this point I have just begun : to scratch the surface. I was totally uncomfortable when it was first : proposed and threw up the stop sign. I'm getting less comfortable by the : minute as I read more about it. : : I'm reading the Kerberos Protocol Transition and Constrained Delegation : article and the Troubleshooting Kerberos Delegation white paper and like : I said, trying to understand all I know about it ;-( : : Everyone's comments so far are immensely appreciated. : : Thanks : : Bob : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric : Sent: Tuesday, August 09, 2005 1:38 PM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kerberos Delegation : : Assuming that you are aware of what constrained delegation is, how it : operates, and what it should be used for... : : Anytime you allow someone or something to impersonate, err, act on : behalf of another security principal, there is always cause for concern. : Constrained delegation certainly provides some flexibility in achieving : this goal and fulfilling the applications need, but like any Domain : Admin in your forest the developer and the application must be trusted. : : I would recommend clear documentation as to the architecture of the : application, how and with what other systems it interoperates, and if : you have the wherewithal (or can bring in someone who does) a code : review to ensure that what is defined is accurate. : : I know this seems a little over-the-top, but we are taking about you : accepting someone else walking around with my ID and saying he told me : it was OK that I access fill in the blank on his behalf. : : Regards, : : Aric Bernard : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob : Sent: Tuesday, August 09, 2005 1:07 PM : To: ActiveDir@mail.activedir.org : Subject: [ActiveDir] Kerberos Delegation : : We have a developer who wants us to allow delegation for a couple of SQL : servers and their service accounts so he can do distributed queries : across linked servers. This is new ground for us from an AD perspective : that I have just started researching and I'd like to hear other's : thoughts, policies etc. : : We are at 2003 functional level so from what I read, we can allow : constrained delegation which is much better than un-constrained but most : of the comments I come across indicate this isn't something to be taken : lightly, has serious security ramifications, policies should be in place : etc etc.. : : I can find a reasonable amount of information from the developers : point-of-view, and I can see how to implement it technically (I think) : but not a whole lot from the AD admin's perspective, especially as it : pertains to the desirability of allowing it and how best to manage it if : it is allowed. : : Any info greatly appreciated. : : Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
I think you've basically got it. Constrained is the way to go. You might consider implementing unconstrained at first for some testing to make sure you can get it working with the less complicated scenario, but you want to end up using constrained delegation in the final version. I would like to point you to Keith Brown's excellent book the .NET Developers Guide to Window Security which he has graciously published online as well as in print. He actually explains this stuff quite well there and has lots of cross references to the other topics. http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HomePage.html Check out the topics in part 5. The book is better because it has all of the illustrations, but the free content is a nice start. As Aric pointed out, the delegation scenario is actually better from a security standpoint here in several ways. All of the queries that will be executed at the delegation endpoints will be executed and audited with the original user's credentials instead of a trusted intermediary service account. You can then secure the SQL data directly and use SQL's built-in mechanisms for security features. The alternative is to give access to all of the data to a specific service account and then make the developer implement their own security layer to restrict different data to different users. Rolling your own security is probably a much higher security risk in the long run. Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 6:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Aric- (Also trying to answer Joe K's questions) The developer owns all 3 of the SQL servers involved so he definitely has a vested interest in the integrity of the data on the SQL servers. SQL server runs under a domain service account only used on them. They just wanted me to create the SPN's for the domain account the service runs under and tick the Account is trusted for delegation on the service account and Computer is trusted for delegation on the SQL servers' machine accounts. Seemed to me the proper way would be to utilize Trust this computer for delegation to specified services only to set up the middle tier service account to be only able to talk to the back end SQL servers' services and configure the account to use constrained delegation without protocol transition by selecting Use Kerberos Only. It also seemed like only the middle tier needed to have the machine account trusted for delegation and, finally, that it would be better to run the backend server under a separate service account with it's own SPN's. Am I close? Joe- Your point about the limiting the accounts by marking sensitive and cannot be delegated is well taken. As soon as I started looking at this can of worms, that occurred to me immediately. Thanks again Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Bob, As Rick and Joe mentioned, as far as allowing a system to do something on behalf of a user, constrained delegation is a pretty good solution. Your developers need as I understand it is as follows: User connects to a front application server (i.e. web server) and authenticates to that server using Kerberos. The application needs to be able to contact multiple different SQL servers to perform a distributed query. If the application where to do with a service account, the response to the query would likely contain all of the information that the service account had that matched the query - this might contain more or less information than the user making the request has access to. In addition the audit trail on the SQL server should reflect that the application server made the access to the SQL server as opposed to the user. Using constrained delegation, the application server is provided the capability to act as the user when interacting with the identified SQL servers (only). If done properly, the application server will be delegated in a manner that explicitly identifies the SQL servers Service Principal names (which include port numbers) associated with each SQL computers object in the directory. Therefore the application server CAN impersonate the user but under the constraint that it may only occur when communicating with the remote server/service/port as named in the delegation. In your case the risk should be relatively low so long as your developer has a vested interest in the integrity of the data on the SQL servers. The only abuse of this specific configuration that I can think off the top of my head would be possibility for the developer to execute a stored procedure on the SQL server with more rights than he or she would typically have thereby gaining access to or altering data in the DB
RE: [ActiveDir] Kerberos Delegation
Yeah Sure, since i have been dealing with Kerberos Delegation issues for the past week non stop here is a good link. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx And oh yeah --- GOOD LUCK :P ADSI or System.DirectoryServices programmin? - http://groups.yahoo.com/group/adsianddirectoryServices Carlos Magalhaes - Directory Services Programming MVP From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isham, Alan ASent: Friday, June 11, 2004 7:58 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Kerberos Delegation Can anyone share an end-to-end business process or a listing of security controls used to manage Kerberos Delegation in Windows 2000 Advanced Server or Windows Server 2003? Thanks, - Alan
[ActiveDir] Kerberos Delegation
Can anyone share an end-to-end business process or a listing of security controls used to manage Kerberos Delegation in Windows 2000 Advanced Server or Windows Server 2003? Thanks, - Alan
