with you guys in Redmond next week J
C
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Tony
MurraySent: 20 September 2005
10:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos
Delegation
Hi
Carlos
As I said, I'm just
starting to look at Kerberos
:[EMAIL PROTECTED]
On Behalf Of Ken
SchaeferSent: 21 September
2005 03:17 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos
Delegation
Odd.
If you use WFetch (its
in the IIS6 Res Kit) or just plain telnet, and request a page, what
WWW-Authenticate headers are coming back
Could I ask why hed need to do
that?
Cheers
Ken
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, 22 September 2005
4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation
So have you granted
Hmmm, explain a little more where you
would grant this access .
Thanks
Carlos
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: 22 September 2005 08:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation
.
Roger SeielstadE-mail Geek
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken
SchaeferSent: Wednesday, September 21, 2005 11:45 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos
Delegation
Could I ask why hed
need to do that?
Cheers
Ken
From:
[EMAIL
] Kerberos
Delegation
Hmmm, explain a little
more where you would grant this access .
Thanks
Carlos
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Roger
SeielstadSent: 22 September
2005 08:23 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos
Delegation
.
Thanks,
Brian
Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, September 22, 2005
9:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation
By default, the IIS
of Brian Desmond
Sent: Thu 9/22/2005 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation
Sharepoint will unless you ignore the recommendations in the setup wizard run
under a service account you create for it. You can however ignore the
recommendations to make
From: [EMAIL PROTECTED] on behalf of Roger Seielstad
Sent: Thu 9/22/2005 3:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation
By default, the IIS app pool and (I believe) sharepoint both run under Network
Service. Therefore, when Sharepoint makes
Seielstad
Sent: Thursday, 22 September 2005
11:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation
By default, the IIS app
pool and (I believe) sharepoint both run under Network Service. Therefore, when
Sharepoint makes the request outbound, it will be making
Of Carlos Magalhaes
Sent: Wednesday, 21 September 2005
10:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation
Yeah Im not sure about that either at the
moment IIS is REALLY ACTING WEIRD, KEN where are you :P - .
I had the Share Point website in the IIS
MMC
PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: 21 September 2005 03:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation
Odd.
If you use WFetch (its in the IIS6
Res Kit) or just plain telnet, and request a page, what WWW-Authenticate
headers
Of Tony Murray
Sent: 20 September 2005 01:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation
Hi Carlos
I'm just starting to look at Kerberos
delegation for something myself,but wouldn't you also need an SPN for the
web service on the ISA Server? And then specify
SharePoint
server itself I don't know.
Cheers
Tony
PS. See you next week :-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos
MagalhaesSent: Wednesday, 21 September 2005 1:38 a.m.To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos
Delegation
Hey
Tony,
Hi Carlos
I'm just starting to look at Kerberos delegation for
something myself,but wouldn't you also need an SPN for the web service
on the ISA Server? And then specify that serviced in the delegation tab on
the user object?
Cheers
Tony
From:
[EMAIL PROTECTED] [mailto:[EMAIL
Carlos,
If I understand the situation correctly you are going
client - Sharepoint IIS server - ISA server. It sounds like you need to
pass the client's kerberos credentials all the way to the ISA box. If that is
correct, here is what I would try...
Client Browser: IE6SP1 will not negotiate
September 2005
12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos
Delegation
Carlos,
If I understand the situation correctly
you are going client - Sharepoint IIS server - ISA server. It sounds
like you need to pass the client's kerberos credentials all the way
Assuming that you are aware of what constrained delegation is, how it
operates, and what it should be used for...
Anytime you allow someone or something to impersonate, err, act on
behalf of another security principal, there is always cause for concern.
Constrained delegation certainly provides
Bob,
Make no mistake - I'm really not a fan of allowing Act as part of the
operating system or the Impersonation privilege.
That being said - from the work that I have done with other web developers
needing access to SQL or application servers, constrained delegation is the
best method that I
Do you have details on the accounts that will be delegated? With
constrained delegation, it is pretty straightforward to limit which
accounts can delegate to which other services, but you might want to be
very careful about limiting who gets delegated.
One really good idea is marking all the
: [ActiveDir] Kerberos Delegation
Assuming that you are aware of what constrained delegation is, how it
operates, and what it should be used for...
Anytime you allow someone or something to impersonate, err, act on
behalf of another security principal, there is always cause for concern.
Constrained
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, August 09, 2005 4:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation
Bob,
Make no mistake - I'm really not a fan of allowing Act as part of the
operating system or the Impersonation
:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Tuesday, August 09, 2005 2:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation
Assuming that you are aware of what constrained delegation is, how it
operates, and what it should be used for...
That's the point of my query
]
Sent: Tuesday, August 09, 2005 4:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation
Rick, I agree with your points on CD, but what are you talking about
here with Act as part of the operating system? That doesn't need to
get enabled anywhere to use constrained
at
this can of worms, that occurred to me immediately.
Thanks again
Bob
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Tuesday, August 09, 2005 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation
Bob
.
Cheers
Ken
www.adOpenStatic.com/cs/blogs/ken/
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Free, Bob
: Sent: Wednesday, 10 August 2005 7:33 AM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] Kerberos Delegation
:
: Assuming
.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Tuesday, August 09, 2005 6:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation
You may want to have Kerberos authentication all the way through, rather
than
using
]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Tuesday, August 09, 2005 6:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos Delegation
Aric-
(Also trying to answer Joe K's questions)
The developer owns all 3 of the SQL servers involved so he definitely
has a vested
Yeah Sure, since i have been dealing with Kerberos
Delegation issues for the past week non stop here is a good
link.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx
And oh yeah --- GOOD LUCK :P
ADSI or System.DirectoryServices programmin? -
29 matches
Mail list logo
