| Ken Schaefer 2007-04-06, 1:21 am |
| If you want Kerberos delegation to work, you need to have everything setup
correctly end-to-end.
The browser must authenticate using Kerberos, which means that both IE must
attempt Kerberos *and* the relevant server SPNs must be created/set
correctly. In an NLB scenario, you'd need to run your worker process under a
domain account, and register the virtual hostname that the end user is going
to use as an SPN under that domain account. The following may be helpful in
getting this working:
IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blog.../10/19/512.aspx
IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blog.../11/19/606.aspx
IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blog...01/16/1054.aspx
IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blog...01/27/1282.aspx
Cheers
Ken
"Jason Carter" <JasonCarter@discussions.microsoft.com> wrote in message
news:046E4A03-2444-4669-B199-B5A1A6B57870@microsoft.com...[vbcol=seagreen]
> Every server is Windows 2003 R2 (web and file server).
>
> I had delegation enabled on the web server to the file server for the HOST
> and cifs services in a Windows 2003 native mode active directory.
>
> I am interested in knowing what you think should have been done
> differently.
> I am all for securing the data as much as possible, as long as it works.
>
> Thank you for your response.
>
> "David Wang" wrote:
>
|