Using Current Security Context in Query

Using Current Security Context in Query

Post by Israel Derdi » Fri, 11 Apr 2003 05:13:44



I am running a query using the "ADsDSOObject" Provider. When I provide the
wrong values for connection properties "User ID" and "Password" it generates
a "Permision Denied" error. When I provide the correct username and password
i get results back. However, when I do not set those properties, I get no
error but I also get no results.

I am running the query from an ASP page using Windows Authentication only.
How can I force the connection to pick up the security context from the
authenticated user so it will return results?

 
 
 

Using Current Security Context in Query

Post by Max L. Vaughn [MSF » Fri, 11 Apr 2003 22:36:41


Try using basic authentication.  If basic authentication works, you are running into a classic double hop issue.   If you are on all win2k boxes you can try to force
kerberos authentication.

The problem is that you are receiving a secondary security token using Windows authentication ( NTLM ).  You need a primary security token.

Sincerely,
Max Vaughn [MS]
Microsoft Developer Support

Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.

 
 
 

Using Current Security Context in Query

Post by Israel Derdi » Fri, 11 Apr 2003 23:15:06


Thanks Max,

It works using Baisc. How do I force kerberos authentication (all Win2k
boxes)?



Quote:> Try using basic authentication.  If basic authentication works, you are

running into a classic double hop issue.   If you are on all win2k boxes you
can try to force
Quote:> kerberos authentication.

> The problem is that you are receiving a secondary security token using

Windows authentication ( NTLM ).  You need a primary security token.
Quote:

> Sincerely,
> Max Vaughn [MS]
> Microsoft Developer Support

> Disclaimer: This posting is provided "AS IS" with no warranties, and

confers no rights. You assume all risk for your use.
 
 
 

Using Current Security Context in Query

Post by Max L. Vaughn [MSF » Tue, 15 Apr 2003 22:07:11


Here is the deal with double-hop (or at least my understanding of it).

If you want to use Kerberos ALL of the machines in the equation need to be Win2k or above. The client needs to have I.E. Enabled to use Windows integrated
authentication (Tool>>Options>>Advanced), and the IIS machine needs to be listed in the ADU&C on a DC, where it should have the 'trusted for delegation'
checkbox checked in its properties. IIS needs to have the site set-up to use Windows Integrated Authentication for its security.

What happens in this scenario, is the client makes a request to IIS for the ASP. If the ASP needs info from a network resource (i.e. the DC), it will ask the client
for credentials. The client should respond with its network token, the IIS machine will go find a kerberos server, and get a ticket for this user that lasts about 10
minutes. From that point on, the IIS server can request information from a network resource on behalf of that user.

Prior to Kerberos, IIS only had NTLM, Basic Auth, and Anonymous to work with. When you had the site setup for NTLM, the client would make a request to the
IIS machine. The client would have permissions to access anything on the IIS machine, but if it needed to access a network resource, it couldn't, because there
was no way for IIS to create a network token based on an NTLM authenticated user. To get around this problem, people would use Basic Authentication. This
would prompt the user for credentials. IIS would then take the users plain text username and password, and plug it into the LogonUser, and
ImpersonateLogonUser APIs which creates a network token that can be passed to a network resource.

Obviously Anonymous wouldn't work set-up as the IUSR account, so people would change this to a domain user with rights to do what they needed. In this
scenario, IIS executes code as an interactive user (i.e. someone sitting at the machine logged in), as if it were the domain user listed as the anonymous user.

In order for Kerberos to be used by IE 6, each IE client must be setup to enable windows integrated authentication on the "Advanced" tab of the "Internet
Propitious".  Its at the very bottom under "Security" section ("Enable Integrated Windows Authentication ( requires restart)").  

IIS will not use Kerberos on a virtual directory with a "." in its names.  It a small problem that they are working on.

I don't know if you will be MORE confused after reading this, but I hope it helps.

Sincerely,
Max Vaughn [MS]
Microsoft Developer Support

Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.

 
 
 

Using Current Security Context in Query

Post by Joe Kapla » Wed, 16 Apr 2003 01:02:14


Thanks Max.  That is a nice posting and really helpful.

Do you also need to enable delegation on the user accounts (in addition to
trusting the server for delegation) in order to get Kerberos delegation to
work?

Joe K.



Quote:> Here is the deal with double-hop (or at least my understanding of it).

> If you want to use Kerberos ALL of the machines in the equation need to be

Win2k or above. The client needs to have I.E. Enabled to use Windows
integrated
Quote:> authentication (Tool>>Options>>Advanced), and the IIS machine needs to be

listed in the ADU&C on a DC, where it should have the 'trusted for
delegation'
Quote:> checkbox checked in its properties. IIS needs to have the site set-up to

use Windows Integrated Authentication for its security.
Quote:

> What happens in this scenario, is the client makes a request to IIS for

the ASP. If the ASP needs info from a network resource (i.e. the DC), it
will ask the client
Quote:> for credentials. The client should respond with its network token, the IIS

machine will go find a kerberos server, and get a ticket for this user that
lasts about 10
Quote:> minutes. From that point on, the IIS server can request information from a

network resource on behalf of that user.
Quote:

> Prior to Kerberos, IIS only had NTLM, Basic Auth, and Anonymous to work

with. When you had the site setup for NTLM, the client would make a request
to the
Quote:> IIS machine. The client would have permissions to access anything on the

IIS machine, but if it needed to access a network resource, it couldn't,
because there
Quote:> was no way for IIS to create a network token based on an NTLM

authenticated user. To get around this problem, people would use Basic
Authentication. This
Quote:> would prompt the user for credentials. IIS would then take the users plain

text username and password, and plug it into the LogonUser, and
Quote:> ImpersonateLogonUser APIs which creates a network token that can be passed

to a network resource.
Quote:

> Obviously Anonymous wouldn't work set-up as the IUSR account, so people

would change this to a domain user with rights to do what they needed. In
this
Quote:> scenario, IIS executes code as an interactive user (i.e. someone sitting

at the machine logged in), as if it were the domain user listed as the
anonymous user.
Quote:

> In order for Kerberos to be used by IE 6, each IE client must be setup to

enable windows integrated authentication on the "Advanced" tab of the
"Internet
Quote:> Propitious".  Its at the very bottom under "Security" section ("Enable

Integrated Windows Authentication ( requires restart)").
Quote:

> IIS will not use Kerberos on a virtual directory with a "." in its names.

It a small problem that they are working on.
Quote:

> I don't know if you will be MORE confused after reading this, but I hope
it helps.

> Sincerely,
> Max Vaughn [MS]
> Microsoft Developer Support

> Disclaimer: This posting is provided "AS IS" with no warranties, and

confers no rights. You assume all risk for your use.
 
 
 

Using Current Security Context in Query

Post by Israel Derdi » Wed, 16 Apr 2003 02:12:58


Thanks Max. You're explanation was very clear and helped make sense of
something that has been bothering me for a long time. (i've been having a
similar problem using Windows Authentication with sql server residing on
different box then web server which I will try to resolve using this
method..)

Unfortunately, I must still be missing something as the problem still
occurs.
Here are the details of my set up, Client is IE 6 on Win2K pro with Windows
Authentication (requires restart)  is checked. Server is Win2K member server
running IIS 5 allowing only Windows authentication for the Web App in
question. In ADU&C, "Trust computer for delegation" is checked. Anything
seem awry here?

Thanks!



Quote:> Here is the deal with double-hop (or at least my understanding of it).

> If you want to use Kerberos ALL of the machines in the equation need to be

Win2k or above. The client needs to have I.E. Enabled to use Windows
integrated
Quote:> authentication (Tool>>Options>>Advanced), and the IIS machine needs to be

listed in the ADU&C on a DC, where it should have the 'trusted for
delegation'
Quote:> checkbox checked in its properties. IIS needs to have the site set-up to

use Windows Integrated Authentication for its security.
Quote:

> What happens in this scenario, is the client makes a request to IIS for

the ASP. If the ASP needs info from a network resource (i.e. the DC), it
will ask the client
Quote:> for credentials. The client should respond with its network token, the IIS

machine will go find a kerberos server, and get a ticket for this user that
lasts about 10
Quote:> minutes. From that point on, the IIS server can request information from a

network resource on behalf of that user.
Quote:

> Prior to Kerberos, IIS only had NTLM, Basic Auth, and Anonymous to work

with. When you had the site setup for NTLM, the client would make a request
to the
Quote:> IIS machine. The client would have permissions to access anything on the

IIS machine, but if it needed to access a network resource, it couldn't,
because there
Quote:> was no way for IIS to create a network token based on an NTLM

authenticated user. To get around this problem, people would use Basic
Authentication. This
Quote:> would prompt the user for credentials. IIS would then take the users plain

text username and password, and plug it into the LogonUser, and
Quote:> ImpersonateLogonUser APIs which creates a network token that can be passed

to a network resource.
Quote:

> Obviously Anonymous wouldn't work set-up as the IUSR account, so people

would change this to a domain user with rights to do what they needed. In
this
Quote:> scenario, IIS executes code as an interactive user (i.e. someone sitting

at the machine logged in), as if it were the domain user listed as the
anonymous user.
Quote:

> In order for Kerberos to be used by IE 6, each IE client must be setup to

enable windows integrated authentication on the "Advanced" tab of the
"Internet
Quote:> Propitious".  Its at the very bottom under "Security" section ("Enable

Integrated Windows Authentication ( requires restart)").
Quote:

> IIS will not use Kerberos on a virtual directory with a "." in its names.

It a small problem that they are working on.
Quote:

> I don't know if you will be MORE confused after reading this, but I hope
it helps.

> Sincerely,
> Max Vaughn [MS]
> Microsoft Developer Support

> Disclaimer: This posting is provided "AS IS" with no warranties, and

confers no rights. You assume all risk for your use.
 
 
 

Using Current Security Context in Query

Post by Israel Derdi » Wed, 16 Apr 2003 02:20:48


I spoke too soon. It DOES work! Thank you!!!!

The IIS server in question can be referenced by actual machine name (e.g.
NY4538) or by a different name that is registered in DNS (e.g. INTRANET1 for
ease of use). When I stated above that it works, that is only if I use the
machine name. When I try to use the other name registered in  DNS  it
doesn't. Is there something about Kerberos that precludes use of an
alternate DNS name?


> Thanks Max. You're explanation was very clear and helped make sense of
> something that has been bothering me for a long time. (i've been having a
> similar problem using Windows Authentication with sql server residing on
> different box then web server which I will try to resolve using this
> method..)

> Unfortunately, I must still be missing something as the problem still
> occurs.
> Here are the details of my set up, Client is IE 6 on Win2K pro with
Windows
> Authentication (requires restart)  is checked. Server is Win2K member
server
> running IIS 5 allowing only Windows authentication for the Web App in
> question. In ADU&C, "Trust computer for delegation" is checked. Anything
> seem awry here?

> Thanks!



> > Here is the deal with double-hop (or at least my understanding of it).

> > If you want to use Kerberos ALL of the machines in the equation need to
be
> Win2k or above. The client needs to have I.E. Enabled to use Windows
> integrated
> > authentication (Tool>>Options>>Advanced), and the IIS machine needs to
be
> listed in the ADU&C on a DC, where it should have the 'trusted for
> delegation'
> > checkbox checked in its properties. IIS needs to have the site set-up to
> use Windows Integrated Authentication for its security.

> > What happens in this scenario, is the client makes a request to IIS for
> the ASP. If the ASP needs info from a network resource (i.e. the DC), it
> will ask the client
> > for credentials. The client should respond with its network token, the
IIS
> machine will go find a kerberos server, and get a ticket for this user
that
> lasts about 10
> > minutes. From that point on, the IIS server can request information from
a
> network resource on behalf of that user.

> > Prior to Kerberos, IIS only had NTLM, Basic Auth, and Anonymous to work
> with. When you had the site setup for NTLM, the client would make a
request
> to the
> > IIS machine. The client would have permissions to access anything on the
> IIS machine, but if it needed to access a network resource, it couldn't,
> because there
> > was no way for IIS to create a network token based on an NTLM
> authenticated user. To get around this problem, people would use Basic
> Authentication. This
> > would prompt the user for credentials. IIS would then take the users
plain
> text username and password, and plug it into the LogonUser, and
> > ImpersonateLogonUser APIs which creates a network token that can be
passed
> to a network resource.

> > Obviously Anonymous wouldn't work set-up as the IUSR account, so people
> would change this to a domain user with rights to do what they needed. In
> this
> > scenario, IIS executes code as an interactive user (i.e. someone sitting
> at the machine logged in), as if it were the domain user listed as the
> anonymous user.

> > In order for Kerberos to be used by IE 6, each IE client must be setup
to
> enable windows integrated authentication on the "Advanced" tab of the
> "Internet
> > Propitious".  Its at the very bottom under "Security" section ("Enable
> Integrated Windows Authentication ( requires restart)").

> > IIS will not use Kerberos on a virtual directory with a "." in its
names.
> It a small problem that they are working on.

> > I don't know if you will be MORE confused after reading this, but I hope
> it helps.

> > Sincerely,
> > Max Vaughn [MS]
> > Microsoft Developer Support

> > Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights. You assume all risk for your use.

 
 
 

Using Current Security Context in Query

Post by Max L. Vaughn [MSF » Wed, 16 Apr 2003 21:35:37


My take on it that the problem resides in the implementation of IIS.  I would asked this question on one of the IIS newsgroups.

Sincerely,
Max Vaughn [MS]
Microsoft Developer Support

Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.

 
 
 

Using Current Security Context in Query

Post by Israel Derdi » Wed, 16 Apr 2003 23:28:54


OK. Thank you for all your help!



Quote:> My take on it that the problem resides in the implementation of IIS.  I

would asked this question on one of the IIS newsgroups.
Quote:

> Sincerely,
> Max Vaughn [MS]
> Microsoft Developer Support

> Disclaimer: This posting is provided "AS IS" with no warranties, and

confers no rights. You assume all risk for your use.
 
 
 

Using Current Security Context in Query

Post by Max L. Vaughn [MSF » Thu, 17 Apr 2003 22:26:19


No problem.

Sincerely,
Max Vaughn [MS]
Microsoft Developer Support

Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.

 
 
 

1. Using VB GetObject using a specified security context?

Hi

I am using the GetObject function in a VBScript to create a new user in an
AD with the security context of a domain admin. This works fine from a
domain member server, but what I would like to do is run it from a stand
alone server and run the script with a specified security context ( a
specific user account on the domain ). MSDN specifies that the GetObject
function can "explicitly specify the credentials" but in the examples given
does not cover this method of authentication.

Any Ideas

Thanks

2. Windows 2000 Professional Local rights weird

3. *Cannot establish a security context with the client

4. How to create a registry key using admin templates??

5. SMS 1.2 Remote Control Cannot Establish a Security Context with the Client

6. Co-pilot

7. Don't get full context menu in query

8. Q: Num Lock on/off

9. "Cannot establish a security context with the client" Any Solution ???

10. "cannot establish a security context with this client"

11. Cannot establish a security context with the client

12. security context

13. No "Export list"-function available in context of Queries