The Double-Hop Problem

re: The Double-Hop Problem

Sushubh — Thu, 01 Feb 2007 08:24:07 GMT

dude! the tags are all messed up... u mixed up between spaces and commas.

re: The Double-Hop Problem

Raj — Thu, 01 Feb 2007 23:31:38 GMT

..and the thing to keep in mind with Kerberos is that the machine your browser is running on has to obviously be in the same domain as the server otherwise Kerberos will fail and NTLM takes over.

re: The Double-Hop Problem

Arunjeet Singh — Fri, 02 Feb 2007 09:07:31 GMT

Agreed. In fact, having multiple domains can lead to a whole host of headaches. In my next article, I intend to discuss just such a situation where I had to implement a security framework in a multiple domain set up. To compound problems, the solution also had to have the capability to downgrade smoothly if some of the domains were NT-based (which is to say uing AD wouldn't be an option at least some of the time).

re: The Double-Hop Problem

Ed — Mon, 26 Mar 2007 21:13:57 GMT

You say "Apparently, you can get around the problem and use proper delegation if you set up your network to use Kerberos and set up the web server in question as trusted for delegation.", but I can't seem to find the option to set the webserver to be trusted for delegation. I have Windows Form app that calls a web service that forwards the request to a .NET remoting server. If I debug the remoting server, the credentials passed are of "NT AUTHORITY\\ANONYMOUS LOGON". If I move the web service to the same machine as the remoting server it works, if I move the web service to the same machine as the Windows Form app it works. So it seems to have all the symptoms of the "double hop" issue. Also, the Authentication type prior to getting to the remote server is Kerberos.

Any help would be appreciated.

re: The Double-Hop Problem

Sanket Bakshi — Tue, 07 Aug 2007 19:36:48 GMT

Hi Ed,

Is your webservice running under Anonymous access?

The client credentials will not be propogeated over to the next level if the webservice is running anonymous.

re: The Double-Hop Problem

T202 — Mon, 17 Mar 2008 17:07:12 GMT

I had exactly the same problem, this fixed it:

SPSecurity.RunWithElevatedPrivileges(delegate()

{

listService.AllowAutoRedirect = false;

listService.PreAuthenticate = true;

listService.Credentials = (NetworkCredential)System.Net.CredentialCache.DefaultNetworkCredentials;

}

re: The Double-Hop Problem

Brian — Thu, 14 Aug 2008 20:20:22 GMT

Do you mind explaining the post. Where exactly did you insert this code?

re: The Double-Hop Problem

Jaco — Mon, 18 Aug 2008 18:19:46 GMT

Hi Ed. I have not tested this, but to set the webserver to be trusted for delegation, you have to go into the active directory settings of your ActiveDir/DNS server

See the link below -

http://www.ehow.com/how_2002207_configure-iis-be-trusted-delegation.html

re: The Double-Hop Problem

Scott — Tue, 09 Dec 2008 02:54:53 GMT

I am trying to connect to a password protected Sharepoint list service on Sharepoint server through a web app.

I tried

>>>

listService.AllowAutoRedirect = false;

listService.PreAuthenticate = true;

listService.Credentials = (NetworkCredential)System.Net.CredentialCache.DefaultNetworkCredentials;

>>>

but without luck.

Do I...

->Need the website to require Windows Authentication?

- If I do this and removes anonymous authentication, it appears I need a password to open the site.

->Need Impersonation in the web.config file. I do not have an account to impersonate though.

It works fine on my local box in dev or, if I set up the Net credentials with my domain,user, and password, I can run it through our website. Obviously, I can not leave my user/password hard-coded in there.

I must be missing something.

Thanks!

SharePoint + Kerberos

Confluence: SharePoint Administration Wiki — Sun, 10 May 2009 05:22:01 GMT

I'm not sure why but Kerberos has the ability to send shivers down SharePoint Consultants spines....