![]() The first flag, forwardable, indicates that the KDC (key distribution center) can issue a new ticket with a new network mask if necessary. Two of them are of interest: forwardable and ok_as_delegate. Note: is the SPN of the service you wish to contact and authenticate to via Kerberos. Use the klist command tool present in Windows to list the cache of Kerberos tickets from the client machine ( Workstation-Client1 in the diagram above). ![]() How to know whether the Kerberos ticket obtained on the client to send to the Web-Server uses constrained or unconstrained delegation? An application is granted the rights it needs to function and nothing more, whereas unconstrained delegation allows an application to contact resources it shouldn't contact on behalf of the user. If the web-application residing on the server called Web-Server must also contact a database and authenticate on behalf of the user, this service principal name (SPN) must be added to the list of authorized services.Ĭonstrained delegation is more secure than unconstrained delegation based on the principle of least privilege. In a constrained delegation configuration, the active directory account that is used as an application pool identity can delegate the credentials of authenticated users only to a list of services that have been authorized to delegate. This is called unconstrained delegation because the application pool account has the permission (it's unconstrained) to delegate credentials to any service it contacts. For example, an SMTP server, a file server, a database server, another web server, etc. The application pool's account running on Web-Server can delegate the credentials of authenticated users of the website hosted on that server to any other service in the active directory. In an unconstrained Kerberos delegation configuration, the application pool identity runs on Web-Server and is configured in Active Directory to be trusted for delegation to any service. In the scenario above, both configurations allow users to delegate credentials from their user session on machine Workstation-Client1 to the back-end API server while connecting through the front-end Web-Server. To use Kerberos credential delegation, refer to Troubleshoot Kerberos failures in Internet Explorer first. The steps below will help you troubleshoot this scenario: The setup works with Internet Explorer, but when users adopt Microsoft Edge, they can no longer use the credential delegation feature. The website located on Web-Server will make HTTP calls using authenticated user's credentials to API-Server (which is the alias for Backend-Web-SRV) to retrieve application data on behalf of users, using Kerberos credential delegation. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |