Kerberos and forms authentication -- dotnet web services enhancements

paal.andreassen NO[at]SPAM gmail.com
6/26/2006 1:32:48 PM

We have a multi tier application spread over multiple servers.
As pr today the clients (IE 6) have used Integrated (NTLM)
autentication against IIS running the presentation layer. Each layer is
communicating with the next layer using WSE3 web services. We are using
kerberos for delegated authentication through the tiers. This setup is
a requirement (secure and authenticated communication from client
throught the tiers down to the database and back (actually we are using
a fixed SQL user at the lowest level).

This setup is working fine, except that in order for a "user switch"
the user has to actually logoff windows and the new user login. We are
experimenting with switching to forms authentication on the
presentation server allowing the "windows user" on the client to remain
separate from the user logged on our application.

Setting up form authentication is easy enough, and I though that by
impersonating the user the delegated authentication would still work as
before, but I was wrong.

Any ideas if this is even possible? If so, any pointers on how to make
this magic happen?

..NET Framework 2.0
IIS 6 on Windows 2003
MS SQL 2000
All users defined in MS Active Directory 2000
Microsoft WSE3.0
Clients are Internet Explorer 6

Joe Kaplan (MVP - ADSI)
6/26/2006 5:48:37 PM

You should be able to get Kerberos authentication and use Kerberos with WSE3
by calling LogonUser. What parameters are you calling it with? If you
enable auditing for logon events and look in the security event log, what
type of logon is being performed for these users?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
[quoted text, click to view]

dotnet web services enhancements : Kerberos and forms authentication