Clarity, Technology, and Solving Problems | PracticeThis.com
WP7 App with Key Windows Azure resources – Slides, Videos, How-To’s, and T-shooting – for quick consumption on the go.
If these articles:
are your friends then do not waste your time on this post, please.
I have still the same scenario - user sits behind her machine A and access simple ASPX page on box B that access file on share on box C
In previous posts:
This time I really want to access the file on share (box C) under end user's account, e.g. flow end user's identity 2 hops - from end user's machine A to web server B and then to the file share - box C.
That is Delegation.
To enable delegation there is a need to accomplish the following:
1. Everything that was needed for impersonation (configure IIS and web.config for windows authentication).
2. Mess a bit with Active directory using Active Directory Users and Computers MMC:
iisreset can help sometimes :)
kerbtray (Win2k, Win2k3) can help too to purge Kerberos tickets instead logging off and on.
Also AuthDiag tool is handy too to diagnose Kerberos issues, for example to make sure that my app pool account has SPN defined in AD.
After accessing the page again here is what I have (meaning impersonation works fine):
And the file on the share (box C) is accessed by end user's identity - DEMO\Administrator:
I think it is cool.
How to analyze who access my files - see:
Next post is even cooler - I will walk through Protocol Transition - very similar to Delegation but the end user's security context is created out of thin air without authentication against Active Directory
Huh? Sounds absurd? It did to me when I first discovered it...
If these articles: How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 Using Protocol
Windows Authentication Identity Flow Through Physical Tiers Identity Flow Through Physical Tiers - Impersonation
I was delivering "Authentication Explained" session for Security User Group. First of - thanks for attending