|
Posted by Roger Abell on July 9, 2005, 8:32 am
If you were Registered and logged in, you could reply and use other advanced thread options
The users of the feature will not be able, due to this, to obtain as
you inquire "higher authorization levels".
However, the way most people run webservers, there is much content
and separate parts of the web app all configured to run with the same
back-end accounts. As it is this/these backend account that you trust
for use of the delegations, these can obtain authZ levels above normal
depending on the account whose credentials are in use at the moment.
Be certain that you look into using constrained delegation, if you are
a W2k3 shop, so that you may state what may make use of the permit
of delegation on the accounts that need to be so enabled. If you are
not a W2k3 shop, and the AD user base in general needs to make use
of this non-load-balanced feature, then you could be in effect opening
up your user base to having their credentials used where not intended
if other point in the infrastructure are trusted for delegation.
As this scenario only makes sense in a non-anonymous web application,
and as the ability to use a single instance of this reporting feature
implies
it is doing independent authentication upon inital session establishment,
then it may be more simple to just consider locating that single instance
on a third, non-load-balance machine. This would it seems remove the
delegation issue, would not introduce a single point of failure (it is
already
present), and would simplify the main, redundant web presence. Then,
you could "pressure" the firm to get up to steam so that continued use of
their product in your environment would fit cost-effectively and with
desired availability metrics.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
>
>
> I am not very familiar with kerberos delegation in Active directory and
we
> have a vendor that is suggesting we use this "feature" to get around an
issue
> we are having. The issue is that we are load balancing two web servers for
> this product, the report service runs within the web server, how it it
will
> not handle the load balancing so we have to just run one instance of the
> report serivce which is breaking the authentication in a load balanced
> environment. The vendor says to use this delegation feature, my concer is
how
> does this effect the users that we authorize to use this delegation in
> general? Will they now have the ability to higher authorization levels by
> misusing this feature?
> --
> Rick B., CISSP
| 
XML site map