AcquireCredentials problem running inside iis
Michael B Allen
mba2000 at ioplex.com
Thu May 11 17:38:55 EDT 2006
On 11 May 2006 11:11:05 -0700
aliwaheed1975 at yahoo.com wrote:
> I have a website in IIS which has been configured to run with Windows
> Authentication and I have <identity impersonate="true" /> in my
> web.config.
>
> I know that my configuration works correctly as when I look at the
> identity under which the thread is running I can see that it is the
> user's account.
>
> My aim is to generate a security token to authenticate the user against
> one of our single-sign-on(SSO) servers(written in-house). I am using
> the SSPI samples (Microsoft Security SSPI Classes) which I downloaded
> from your website to generate tokens in order to perform an sspi
> authentication with our SSO server.
>
> The problem I have is that when a user logs on although the thread in
> iis seems to run under the user's account, the SSPI call seems to
> generate credentials for 'anonymous user'.
There are a couple of things that need to happen for this to work.
1) The account under which IIS is running must be flaged "ok for deligation"
2) The user's account must have forwardable and deligation enabled.
3) There is a difference between an primary token and an impersonation
token. This may be a factor when doing SSPI.
Mike
More information about the Kerberos
mailing list