Hi Ken
Based on your mail you seem to have the following setup:
F1-------------------------------------------------------->
F2
|
|
M1---> ISA---> IIS--->AppServer
UserA
UserA logs on to M1 and hits the IIS Server which needs to access AppServer
with a proper token for UserA
In this scenario - constrained delegation will work ok.
Perhaps Joe was thinking of the docs which state you have to have the IIS
Server and the AppServer in the same forest and domain?
steve
----- Original Message -----
From: "Ken Schaefer" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Tuesday, December 19, 2006 4:58 PM
Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Joe,
Thanks for your comments. Certainly using Basic is easier, and this is
mostly
what they are doing at the moment. I say mostly because I wasn't entirely
upfront about the "web server" component in my original diagram. That is
actually several dozen different web applications - some of which do not
have
an option to use Basic (either technical limitation -or- a security
standard). The aim of the project is to (a) see if transparent logons can be
made available to users (i.e. via IWA challenges) and (b) see if SSO can be
enabled (so users do not need to authenticate to different applications
behind the proxy) and (c) get away from Basic Auth. So I'm going to have to
keep looking at Kerberos related solutions :-)
Cheers
Ken
--
My Blog: www.adOpenStatic.com/cs/blogs/ken
: -----Original Message-----
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Joe Kaplan
: Sent: Wednesday, 20 December 2006 10:41 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
:
: My understanding is that you can get the actual protocol transition
: logon to
: work, but you cannot use delegation (which is what you really need)
: because
: PT is tied to constrained delegation and it only works in a single
: domain,
: not even in multiple domains in a forest. Your understanding is
: basically
: correct.
:
: This is a documented limitation and not something I've played with
: personally, so I'm not sure if there is more to it than that.
:
: I honestly don't know if this can be made to work with unconstrained
: delegation/kerb auth in IIS, as I've never tried that either. However,
: giving out unconstrained delegation privileges is a bit icky.
:
: This may be one of those situations where it is easier to just pass the
: plaintext credentials around between the tiers using basic auth/SSL and
: such.
:
: Joe
:
: ----- Original Message -----
: From: Ken Schaefer
: To: ActiveDir@mail.activedir.org
: Sent: Tuesday, December 19, 2006 5:29 PM
: Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation
:
:
: Hi Steve,
:
: Can you elaborate on this? I'm familiar with what S4U2self is for, but
: not
: sure how to tell whether I would need it or not. Are you saying below
: that
: protocol transition can be used cross-forest? I thought protocol
: transition
: was tied to constrained delegation (in a user/computer account's
: properties,
: on the delegation tab there is an option that says "any protocol", but
: that's
: only available in the section for constrained delegation. If that's the
: case, then how can protocol transition work cross-forest?
:
: Cheers
: Ken
:
: --
: My Blog: www.adOpenStatic.com/cs/blogs/ken
:
: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
: Sent: Wednesday, 20 December 2006 12:37 AM
: To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
: Cc: Ken Schaefer
: Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
:
: If I understand your scenario correctly ....
:
: In order for S4U2self ( protocol transition ) to work in this sceanrio
: you
: will need a 2 way forest trust.
: If you do not need S4U2self you can get by with the one way trust.
:
: steve
: -------------- Original message --------------
: From: "Ken Schaefer" <[EMAIL PROTECTED]>
:
: > Hi all,
: >
: > I am looking at a slightly tricky situation, at least for me - I'm
: sure
: > you
: > guys would find this a "walk in the park" :-)
: >
: > I have a situation where there are two forests (2003 Forest
: Functional
: > Level). Each contains a single domain. One domain is a resource
: domain
: > (DomainB), and the other contains the user accounts (DomainA). There
: is a
: > one-way forest trust, such that the resource forest/ domain trust the
: user
: > forest (and domain).
: >
: > The situation I have is as follows:
: >
: > Client ---> ISA Server 2006 ---> Web Server ---> App Server
: >
: > The user that is logged on to the client is from DomainA. All the
: servers
: > belong to DomainB. The user's credentials need to be passed from the
: web
: > server back to the app server. So I could use Basic Authentication
: all the
: > way through. Or I can try to use Kerberos & delegation.
: >
: > Now, ISA Server can use protocol transition, so that Client ---> ISA
: > Server
: > can be something other than Kerberos (e.g. forms authentication),
: however
: > Protocol Transition then requires the use of constrained delegation.
: Am I
: > right in thinking that constrained delegation is limited to accounts
: in
: > the
: > same domain? If so, then the fact that the user is in a different
: domain
: > to
: > the ISA Server will cause this to fail.
: >
: > On the other hand, if I didn't use constrained delegation, just
: regular
: > delegation (and no protocol transition), does that work across
: Forests
: > though? I have read conflicting reports on this. I'm having some
: > difficulty
: > getting it working, so either the answer is "no", or my skills aren't
: up
: > to
: > the task (probably the latter, in combination with the former).
: >
: > Cheers
: > Ken
: >
: > --
: > My Blog: www.adOpenStatic.com/cs/blogs/ken
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
