Agreed here. If you don't need protocol transition, don't use it. This normally only comes up in situations where you have to use Basic auth on the web tier for an Internet-based scenario or something like that. If the web server can use IWA, then you can go Kerberos end to end.
Joe K. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, August 09, 2005 6:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation You may want to have Kerberos authentication all the way through, rather than using Protocol Transition. At least in the IIS world, protocol transition involves running your worker processes as LocalSystem rather than any other account, which is yet another security issue you need to manage. Cheers Ken www.adOpenStatic.com/cs/blogs/ken/ : -----Original Message----- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Free, Bob : Sent: Wednesday, 10 August 2005 7:33 AM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kerberos Delegation : : >Assuming that you are aware of what constrained delegation is, how it : operates, and what it should be used for... : : That's the point of my query, I certainly don't understand all I know : about it and we have never allowed it, at this point I have just begun : to scratch the surface. I was totally uncomfortable when it was first : proposed and threw up the stop sign. I'm getting less comfortable by the : minute as I read more about it. : : I'm reading the Kerberos Protocol Transition and Constrained Delegation : article and the Troubleshooting Kerberos Delegation white paper and like : I said, trying to understand all I know about it ;-( : : Everyone's comments so far are immensely appreciated. : : Thanks : : Bob : : -----Original Message----- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric : Sent: Tuesday, August 09, 2005 1:38 PM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kerberos Delegation : : Assuming that you are aware of what constrained delegation is, how it : operates, and what it should be used for... : : Anytime you allow someone or something to impersonate, err, act on : behalf of another security principal, there is always cause for concern. : Constrained delegation certainly provides some flexibility in achieving : this goal and fulfilling the applications need, but like any Domain : Admin in your forest the developer and the application must be trusted. : : I would recommend clear documentation as to the architecture of the : application, how and with what other systems it interoperates, and if : you have the wherewithal (or can bring in someone who does) a code : review to ensure that what is defined is accurate. : : I know this seems a little over-the-top, but we are taking about you : accepting someone else walking around with my ID and saying "he told me : it was OK that I access <fill in the blank> on his behalf." : : Regards, : : Aric Bernard : : -----Original Message----- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob : Sent: Tuesday, August 09, 2005 1:07 PM : To: ActiveDir@mail.activedir.org : Subject: [ActiveDir] Kerberos Delegation : : We have a developer who wants us to allow delegation for a couple of SQL : servers and their service accounts so he can do distributed queries : across linked servers. This is new ground for us from an AD perspective : that I have just started researching and I'd like to hear other's : thoughts, policies etc. : : We are at 2003 functional level so from what I read, we can allow : constrained delegation which is much better than un-constrained but most : of the comments I come across indicate this isn't something to be taken : lightly, has serious security ramifications, policies should be in place : etc etc.. : : I can find a reasonable amount of information from the developers : point-of-view, and I can see how to implement it technically (I think) : but not a whole lot from the AD admin's perspective, especially as it : pertains to the desirability of allowing it and how best to manage it if : it is allowed. : : Any info greatly appreciated. : : Bob List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/