c# - Constrained delegation from IIS to remote DCOM component -
i developping web service has authenticate end user , connect remote dcom server on behalf of user. trying achieve constrained delegation iis web service remote dcom server component.
this not work. call either failing or identity seen dcom server wrong.
the dcom server requires caller authenticated , authorized user. restrictions applied resources available user based on identity. that's why caller has end user , cannot service account.
configuration:
- iis web service hosted on server srv-iis , runs under account svc-iis.
- the dcom server hosted on server srv-app , runs under account svc-app.
- all accounts domain accounts.
- spns have been configured on service accounts , constrained delegation set in active directory (2012r2) these accounts , both computer accounts.
on iis, user authenticated (protocol "negotiate"), web service (.net) gets s4u token windowsidentity constructor. retrieved token has impersonation level of "impersonation"
the token used impersonate client remote dcom calls require user account. when dcom calls made following configuration:
cosetproxyblanket(appserver, -1, -1, -1, rpc_c_authn_level_default, rpc_c_imp_level_delegate, null, 0)
the identity of caller, seen dcom server, "svc-iis"
when enabling cloaking:
cosetproxyblanket(appserver, -1, -1, -1, rpc_c_authn_level_default, rpc_c_imp_level_delegate, null, eoac_dynamic_cloaking)
all calls impersonating user fail error 1825: security package specific error occurred
the rpc extended error information is:
+ name=, pid=2772, timestamp=27/07/2017 10:28:13, component=2, status=1825, location=1710 - parameter 0 (eeptlongval): 0x00000001 + name=, pid=2772, timestamp=27/07/2017 10:28:13, component=2, status=1825, location=1461 + name=, pid=2772, timestamp=27/07/2017 10:28:13, component=2, status=1825, location=153 - parameter 0 (eeptlongval): 0x80090332 - parameter 1 (eeptlongval): 0x00000004 - parameter 2 (eeptlongval): 0x0005000e - parameter 3 (eeptlongval): 0x00000001
location 153 is:
initializethirdleg40, security context established, caller asked rpc rpc_c_imp_level_delegate impersonation, , security context not support that. first parameter ulong sec_e_security_qos_failed. second parameter impersonation type asked caller. third parameter attributes of security context.
0x80090332
sec_e_security_qos_failed, security context not established due failure in requested quality of service (for example, mutual authentication or delegation)
on dcom server, calls reaching server, coqueryclientblanket gives info:
authnsvc=16, authzsvc=1, principalname=domain\svc-app, authnlevel=5, implevel=1, privs=00af7ca8, capabilities=00000000
authnsvc 16 kerberos.
error messages not explicit. configuration in ad seems correct. have enabled kerberos logging on servers. there no obvious errors: err_preauth_required , err_badoption. last one, err_badoption related delegation not understand causing error.
i wonder if impersonation level of s4u token (impersonation) sufficient or if should delegation. documentation mentions identification , impersonation levels. think problem related kerberos, either @ application level or @ active directory level.
can guide me understand missing , how investigate problem? can debug both web application , dcom component.
thanks.
Comments
Post a Comment