Kerberos

[Reza]

Hi

An administrator from the trusted forest connects to my web application in
the trusting forest. Surely he can do it because of the trust. In my web
page I tried to impersonate as him and create a global group in his forest.
Since he is an administrator he must be able to do it but here I get an
error. I did the same thing through a desktop application which I Run As him
in my forest (trusting forest) and it works fine. Why can't I do it through
web? His account is NOT (sensitive and can
not be delegated) and my IIS computer is trusted for delegation so everything
is fine for delegation. Another test is that when I change security in IIS to
Basic Authentication it works but in Integrated windows it is not working.
That made me think it is probably because of Kerberos. Documentation says
delegation for Kerberos needs all computers to be in the same forest. I ran
the same test in a single forest again with the same result. The error is
nonspecific: (Operation error) which is raised by Directory Service class of
..Net. There is no Access Denied or any other meaningful thing. I am really
confused!! Somebody can help me please?

Thanks
Reza

 

[Joe Kaplan \(MVP - ADSI\)]

Can you please post the code? That would be very helpful. Also, it helps
to mention S.DS in the subject with issues like this if you want the
Directory Services MVPs to notice.

Another good idea would be to verify whether your DirectoryEntry is getting
mutually authenticated. This requires some COM interop using the
IADsObjectOptions with the ADS_OPTION_MUTUAL_AUTH_STATUS (4) flag passed in.
It will tell you true/false whether you got a kerberos bind or not.

HTH,

Joe K.