|
Home > Archive > BizTalk Server Applications Integration > March 2005 > SSO for BTS Adapters
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSO for BTS Adapters
|
|
| oleg_kleyman 2005-03-21, 7:47 am |
| Hi,
As far as I understand, SOAP Adapter redeems SSO ticket passed in message
context. In turn, redeem will succeed only for authenticated calls. If so,
why NTLM authentication method disables SSO for SOAP Adapter? The same
question applies to Kerberos authentication for HTTP Adapter and 'Integrated
authentication' method for WSE Adapter.
Thanks in advance.
| |
| Jon Flanders[DevelopMentor] 2005-03-22, 2:50 am |
| Because SSO cannot be used to connect one NT account to another NT
ccount - that would be a type of two machine hop that just isnt allowed
from a security POV (might be a licensing issue as well).
SSO is meant to take incoming NT crednetials and translate them into NON-NT
credentials.
--
Jon Flanders [DevelopMentor]
http://staff.develop.com/jfland/
http://www.develop.com/courses/biztalk
"oleg_kleyman" <olegkleyman@discussions.microsoft.com> wrote in message
news:4FBA9647-C848-480D-9776-98149C39F486@microsoft.com...
> Hi,
> As far as I understand, SOAP Adapter redeems SSO ticket passed in message
> context. In turn, redeem will succeed only for authenticated calls. If so,
> why NTLM authentication method disables SSO for SOAP Adapter? The same
> question applies to Kerberos authentication for HTTP Adapter and
> 'Integrated
> authentication' method for WSE Adapter.
> Thanks in advance.
>
| |
| oleg_kleyman 2005-03-22, 6:03 pm |
| All mentioned authentication methods - NTLM, Kebreros etc. may be used to
validate Windows user against some NT Authority. What I'm trying to
understand is why the validation performed via NTLM and Kerberos is not good
for SSO ticket's redeeming. It's clear that such redeeming is used to map
windows user to external (not Windows) credentials.
"Jon Flanders[DevelopMentor]" wrote:
> Because SSO cannot be used to connect one NT account to another NT
> ccount - that would be a type of two machine hop that just isnt allowed
> from a security POV (might be a licensing issue as well).
>
> SSO is meant to take incoming NT crednetials and translate them into NON-NT
> credentials.
>
> --
> Jon Flanders [DevelopMentor]
> http://staff.develop.com/jfland/
> http://www.develop.com/courses/biztalk
> "oleg_kleyman" <olegkleyman@discussions.microsoft.com> wrote in message
> news:4FBA9647-C848-480D-9776-98149C39F486@microsoft.com...
>
>
>
| |
| Tomas Restrepo \(MVP\) 2005-03-22, 8:46 pm |
| Hi Oleg,
> All mentioned authentication methods - NTLM, Kebreros etc. may be used to
> validate Windows user against some NT Authority. What I'm trying to
> understand is why the validation performed via NTLM and Kerberos is not
good
> for SSO ticket's redeeming. It's clear that such redeeming is used to map
> windows user to external (not Windows) credentials.
That's a good question. My guess is that similar how Jon mentions, the idea
here is that you'd only use NTLM and Kerberos if you wanted to logon to the
remote server using the identity of the running BizTalk Application Host,
however, that, by itself, doesn't seem very useful (particularly given that
the requirement to use integrated security is imposed by the server side,
not the biztalk side, usually).
It might be, however, a very simple technological problem... If the HTTP
adapter uses the .NET libraries for this, I believe the support in them for
integrated security doesn't allow you to use NTLM/Kerberos authentication
with alternate credentials [1](and only those of the running thread,
instead), but I don't know the implementation details here, so I might be
wrong.
[1] This would be a limitation of the .NET implementation, which probably
uses SSPI underneath for the integrated authentication, and SSPI most
certainly allows you to use alternate credentials.
--
Tomas Restrepo
tomasr@mvps.org
http://www.winterdom.com/
|
|
|
|
|