The simplest case

The simplest case

am 21.03.2007 18:36:03 von guruperplexe

Hello everybody,
I spent some time reading this forum and Technet resources, still I can't
find the anwer to my VERY basic question :
I have a W2K domain, with an IIS6 intranet server. The asp code of the
intranet site has to access files located on a W2K3 server, same domain. The
user get an "access denied" (works fine if the same files are located on the
IIS server).
It seems I tried everything : using virtual directories, using Basic
authentication (I don't want it because it asks for credentials), changing
DefaultAppPool parameters ...
I am getting nervous. Is this not a REALLY basic problem ?!

Re: The simplest case

am 21.03.2007 22:04:32 von David Wang

Yes, while this problem appears basic, but it is really Cross-Machine
Delegation, which is a very advanced security implication.

You will find that if you use Basic authentication or coordinate
Anonymous user logins that it works, but it fails if you use
Integrated Authentication.

The protocols which work by default are all insecure with regards to
delegation, which is a non-obvious security concept.

We can certainly go into more details as to why it fails with
Integrated Authentication by default and how to make it work, but
suffice to say, it is well documented. One easy way to explain the
concept is:

Suppose you go to an auto shop to get your car serviced. Instead of
asking you to sign for repair authorization, they asked for your SSN.
What do you do?

The insecure authentication protocols will simply hand over the SSN.
The secure authentication protocols say "no, I won't give you the SSN
unless you go through validation that you safeguard and absolutely
require my SSN".

Now, with a W2K domain, the only way to make Integrated Authentication
work is to use Kerberos. With WS03 domain, you have many more options.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Mar 21, 10:36 am, guruperplexe
wrote:
> Hello everybody,
> I spent some time reading this forum and Technet resources, still I can't
> find the anwer to my VERY basic question :
> I have a W2K domain, with an IIS6 intranet server. The asp code of the
> intranet site has to access files located on a W2K3 server, same domain. The
> user get an "access denied" (works fine if the same files are located on the
> IIS server).
> It seems I tried everything : using virtual directories, using Basic
> authentication (I don't want it because it asks for credentials), changing
> DefaultAppPool parameters ...
> I am getting nervous. Is this not a REALLY basic problem ?!