Kerberos Authentication in Mixed environment

Kerberos Authentication in Mixed environment
Secure Home | Search | About
Login Password
Register Now! Lost Password?

Microsoft Applications Security - Microsoft's general security discussions and announcements 

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Kerberos Authentication in Mixed environment Chris Geier 01-10-2006
Posted by =?Utf-8?B?Q2hyaXMgR2VpZXI=?= on January 10, 2006, 12:41 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello,

I have a question about Kerberos in an environment mixed with 2003, 2000 and
NT 4. If the domain containing both the servers, and the user accounts
themselves that have SPN's assisgned to them are in 2003 or 2000 but the
client making the front end request is running in NT4 with a trust to 2000 or
2003. Can the backend servers still take advantage of Kerberos delegation
etc.

So a nt 4 client contacts a Sharepoint 2003 server that resides in a 2000
domain. That sharepoint server operating under a service account with all
the proper settings SPN's etc need to go talk to another application on
behalf of that user using kerberos delegation. Will that work or does the
client os need to be xp or 2000. What are the limitations. Can the client os
be nt4 if the machine account and user account are in AD?

Posted by S. Pidgorny on January 11, 2006, 5:52 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Windows NT doesn't support Kerberos. NTLM delegation will still work - I
think you need to look into cprotocol transition from NTLM so that the Web
server (Win2003) wilkl obtain a Kerberos ticket for the user. Not sure about
the details - might need to ask in the IIS groups.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Chris Geier" <chris.geier at gmail.com> wrote in message
> Hello,
>
> I have a question about Kerberos in an environment mixed with 2003, 2000
> and
> NT 4. If the domain containing both the servers, and the user accounts
> themselves that have SPN's assisgned to them are in 2003 or 2000 but the
> client making the front end request is running in NT4 with a trust to 2000
> or
> 2003. Can the backend servers still take advantage of Kerberos delegation
> etc.
>
> So a nt 4 client contacts a Sharepoint 2003 server that resides in a 2000
> domain. That sharepoint server operating under a service account with all
> the proper settings SPN's etc need to go talk to another application on
> behalf of that user using kerberos delegation. Will that work or does the
> client os need to be xp or 2000. What are the limitations. Can the client
> os
> be nt4 if the machine account and user account are in AD?



Similar ThreadsPosted
mixed authentication and LogonUser token in forms ticket - safe? August 30, 2007, 6:44 am
How to set up Kerberos authentication? (some code :) August 18, 2005, 5:55 pm
Kerberos pre authentication question June 30, 2006, 9:21 am
Intermittent Kerberos authentication failure June 14, 2007, 2:26 pm
Kerberos with Windows Integrated authentication January 2, 2009, 6:58 am
Forcing XP Clients to use NTLM instead of Kerberos Authentication July 11, 2006, 1:21 am
Kerberos with "Selective Authentication" over forest Trust October 30, 2006, 10:12 am
NTFS Security for Mixed 2003/2000 servers February 21, 2006, 4:11 pm
Test environment May 12, 2008, 7:32 pm
Windows 2003/XP environment and Altiris Suite October 4, 2006, 10:55 am

The site map in XML format XML site map

Contact Us | Privacy Policy