Kerberos Constrained Delegation For Access To Single Application P

[Seen The Bean]

Is there some way to configure a service account used to run an ASP.NET
application pool to delegate identity only to specific virtual directories or
application pools on a remote server?

From what I've read, I've only ever seen constaining delegation down to the
HTTP service on a web service. This is insufficient for our scenarios
because we have many applications that run in various farms and want to
control access between specific applications.

For example:

- 2 Web Servers
- Server 1 Has Web Services: A & B
- Server 2 Has Web Services: C & D
- Web Service A should be able to delegate identity to web service C, but
not D
- Web Service B should be able to delegate identity to web service D, but
not C
- A & B Can Run as separate service accounts


How do I restrict access from the various service accounts to only specific
virtual directories or application pools on a server?
Possible?

Thanks!

 

[Dominick Baier [DevelopMentor]]

When you configure different (domain) worker process accounts for each application
you can register a SPN for every application - but you need separate DNS
names

e.g.

setspn -a app1/domain domain\App1Account
setspn -a app2/domain domain\App2Account

afterwards you can configure constrained delegation for these specific SPNs

 

[Ken Schaefer]

The client gets a Kerberos service ticket based on the FQDN of the remote
service.

You will need to setup a unique FQDN for the resources in question (provided
that it's running under HTTP or HTTPS, or alternatively you can use a unique
port)
The FQDN needs to run under a single user account.
You register the SPN under that account for the FQDN in question.

Cheers
Ken