Authentication and Authorization

This blog is about Authentication and authorization, in particular Kerberos on IIS 7.0 and later.

  • Authentication and Authorization

    Kernel-mode authentication

    • 0 Comments
    First a short explanaition on how the Kerberos ticket is encrypted: The client application (e.g. a web browser) is requesting a Kerberos ticket from the Domain Controller (KDC). As part of the communication with the DC, the client is sending the...
  • Authentication and Authorization

    What is a SPN and why should you care?

    • 1 Comments
    I remember the first time I saw the acronym SPN when I were introduced to WCF some years ago. After reading the article in MSDN I didn't feel better. What is a ServicePrincipalName? The way I usually think now (and I apologize for you that don't...
  • Authentication and Authorization

    Kerberos Delegation

    • 0 Comments
    Kerberos Delegation is a feature that allows an application to reuse the end-user credentials to access recourses hosted on a different server. You should only allow that if you really trust the application server, otherwise the application may use your...
  • Authentication and Authorization

    System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGIN'

    • 0 Comments
    Depending on how you installed SQL Server you may receve an SqlException -2146232060 when you are connecting to SQL Server from the web server using the credentials of the end user. One probably reason could be an error in the SPN registration....
  • Authentication and Authorization

    How to name a SPN

    • 0 Comments
    As previously stated, a SPN is a kind of alias for a domain account. You can have many SPN for a single domain account, but the SPN must be unique in the forest. The name consists of two mandatory parts ( service class and host ) and two optional parts...
  • Authentication and Authorization

    WindowsImpersonationContext

    • 0 Comments
    Connecting to a database on a remote SQL Server with the end-user credentials requires that you are impersonating the user in code. Start by ensuring that your web.config does not include impersonation: < system.web > < authentication mode...
  • Authentication and Authorization

    Impersonation

    • 0 Comments
    The next hurdle to solve is to connect to the database with the correct user. Without doing anything, your connection will be made by the application pool account - in the described scenario that would be the mydomain\hrwebact account. That was...
  • Authentication and Authorization

    How to name a SPN (part 2)

    • 0 Comments
    As you learned last time, the full syntax of SPN name is: service class/host [: port [/ service name ]] Today I will be talking about port. Port number is an optional qualifier that you can use to ensure that the SPN is unique in the forest. ...
  • Authentication and Authorization

    Introduction

    • 0 Comments
    Hi everyone Finally got around to setting up my blog. For those who don't know me - I'm Per Nygaard, an Architect in Microsoft Services, Denmark. I joined Microsoft in 1999 as consultant, and I have assisted many customer with both platform related...
Page 1 of 1 (9 items)