tricky multi-tier delegation

[Pete]

Is it possible to implement a 2-tier ASP.NET app with delegation to
the back-end without authenticating the user at the middle-tier?

I have IIS running a presentation application that needs to delegate
Kerberos authentication to a proprietary back-end (non-Windows)
server. The kicker is that the presentation server is not connected to
the Authentication Server/KDC, so it cannot authenticate the user. The
client, presentation server and back-end server are all connected on a
private LAN, but only the client & back-end are on the intranet. I
want the client to provide credentials (ticket) to the middle-tier,
who in turn provides those same credentials to the back-end, without
the middle-tier doing any authentication himself. I can't find a way
to do this.

Thanks,
Pete

 

[Ken Schaefer]

I don't think this is possible.

Kerberos authentication requires that the client get a ticket to access the
service (the service being IIS). If IIS is using Kerberos authentication, it
won't accept the ticket unless it can validate it.

Delegation is then a subsequent step. Here the webserver (IIS) has been
granted permissions to "act as a the user" - i.e. get a service ticket on
the user's behalf to access the backend server. To get this ticket, IIS
needs to communicate with the KDC - but you say this isn't possible.

What I suppose you can do is have the user supply their credentials using a
non-HTTP based authentication mechanism (eg a HTML form). Your ASP.NET app
can pass that to the backend server, which in turn can verify the
credentials against Active Directory. However, if the backend server is
expecting a kerberos ticket, then this will be difficult, because the IIS
box needs to communicate with the KDC to get a ticket on the user's behalf.

Cheers
Ken