Why users can delegate authentication to IIS via IE?
Question
Kerberos authentication supports delegation, but delegation needs cooperation between the client and the server.
If the client uses SSPI,for example, it must set flag of ISC_REQ_DELEGATE when invoke InitializeSecurityContext.
If the server, IIS(more accurately applications run on IIS), want to use client's authentication for another remote access, clients(IE browser) have to use delegation, but how to know the server wants to do so?
1 answers
solution1
1 ACCPTED 2013-12-04 00:19:57
This depends a bit on browsers. The SSPI actually uses two things to control delegation. First, the ISC_REQ_DELEGATE flag to InitializeSecurityContext needs to be set as you discuss. Second, though the computer account in Active Directory must include the trusted for delegation flag. This flag is also called ok-as-delegate in the Kerberos documentation. The idea is that a browser can always set the delegation requested flag in InitializeSecurityContext, but Active Directory decides whether delegation works. IE normally does set that flag and normally does support delegation if the web server's computer account permits. See here for a discussion of how to configure delegation in Firefox.
See here for a discussion of how to configure the web server's computer account. And see here for a discussion of delegation, its risks and constrained delegation which is an alternative that doesn't require browser cooperation. See this RFC for a discussion of how your http client can use the ok-as-delegate flag if you need to code to GSS-API rather than SSPI
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.