Guest spconsultant Posted October 30, 2008 Posted October 30, 2008 BackGround I have a web server called portal.myc.local I must implement Kerberos Constrained Delegation, to impersonate the end user in a downsteram application (on another server). I am using kerberos, to authenticate users (for SharePoint). I have my SPN as HTTP/portal.myc.local MYC\apppoolaccount This is working well. For external access, public DNS has mycompany.com registered to me, and I have my public DNS pointing to portal.mycomany.com and for testing right now to my webserver I have created a wildcard SSL certificate for .mycompany.com (Using SELFSSL) (When I move along, this will be secured via ISA server in my DMZ, the certifacate will be self signed) Status Through Kerberos, my internal connections work properly. Externally, kerberos fails, and authenticates me via NTLM Even if I do this from the lan by using a host file entry to point to my internal web server it still falls back to NTLM Question: I believe what i need to do is map mycompany.com to myc.local so that active directory domain controller on myc.local sees these as members of the same realm. How do I accomplish this? Is this correct? Can I authenticate like this? Any documentation source reccomendations? Quote
Guest spconsultant Posted October 30, 2008 Posted October 30, 2008 Clarification: portal.mycompany.com is a public DNS "A" record I think I need somthing like: Configure /etc/krb5.conf [libdefaults] default_realm = myc.local [domain_realm] portal.mycompany.com = myc.local [realms] myc.local = { kdc = kdc.myc.local } Thanks for your thoughts! On Oct 30, 3:55 pm, spconsultant <gfpilot2...@yahoo.com> wrote:<span style="color:blue"> > BackGround > > I have a web server called portal.myc.local > I must implement Kerberos Constrained Delegation, > to impersonate the end user in a downsteram application (on another > server). > > I am using kerberos, to authenticate users (for SharePoint). > I have my SPN as  HTTP/portal.myc.local MYCapppoolaccount > This is working well. > > For external access, public DNS has mycompany.com registered to me, > and I have > my public DNS pointing to portal.mycomany.com and for testing right > now to my webserver > I have created a wildcard SSL certificate for .mycompany.com (Using > SELFSSL) > > (When I move along, this will be secured via ISA server in my DMZ, the > certifacate will > be self signed) > > Status > > Through Kerberos, my internal connections work properly. > Externally, kerberos fails, and authenticates me via NTLM > Even if I do this from the lan by using a host file entry to point to > my internal web server > it still falls back to NTLM > > Question: > > I believe what i need to do is map mycompany.com to myc.local so that > active directory > domain controller on myc.local sees these as members of the same > realm. How do I accomplish this? > Is this correct? Can I authenticate like this? > Any documentation source reccomendations?</span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.