Quantcast
Viewing all articles
Browse latest Browse all 31638

Kerberos delegation does not work (IIS, file share, double hop)

I want to show a list of files in the browser of the user. This list is generated by an IIS7 ASP.NET web application.

My scenario:

Client     => App Server              => File Server
Windows 7     Windows Server 2008 R2     Windows Server 2003
IE8           IIS7 (ASP.NET)             File Share

Impersonation is active on the web app on the app server.
The app pool of the web app is running under the identity "NetworkService".
The app server has the AD setting "Trust this computer for delegation to any service (Kerberos only)"

Following SPNs are defined on the app server:

        HTTP/appserver01
        HTTP/appserver01.customer01.net
        WSMAN/appserver01
        WSMAN/appserver01.customer01.net
        TERMSRV/appserver01
        TERMSRV/appserver01.customer01.net
        RestrictedKrbHost/appserver01
        RestrictedKrbHost/appserver01.customer01.net
        HOST/appserver01
        HOST/appserver01.customer01.net

If I open the web application in IE directly on the app server everything works.
But if a user browses the application, he gets the error "Access to the path '\\fileserver01\folder01$\subfolder\' is denied."

The same user has no problems to access the folder in Windows Explorer and to open files in it.

That's why I think I have a double hop/delegation problem.

Because I have no domain admin rights (I am a developer), I investigated with the Active Directory Explorer the AD users settings.
The userAccountControl shows the value 512 what means, that the windows user is only a "Normal Account" and has not the default setting "Trusted for delegation".

Is this my problem?





Viewing all articles
Browse latest Browse all 31638

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>