0

Customer has both internal domain and DMZ domain. There is no trust between both domains at this point. We have web application which is deployed at DMZ zone since the application has some interaction with external users as well.

  1. Internal users from internal domain would need to be able to login into our web application through Kerberos authentication, is that possible considering the app pool of web application would need to be able to decrypt service ticket from internal users while the app pool account is from DMZ domain?
  2. Let's assume that #1 is possible, after internal users are logged in, we would need to do LDAP query for people picker on other internal users and group. Here we would like to do LDAP query to internal domain via Kerbeos delegation. Just wonder how we could find the internal domain controller in this case. Any way to query GC for this? or should we just make it configurable at config file or maybe we could get from UPN of logged in user? Assume now that we have the internal domain controller address, how we could query by impersonating the logged in internal user through Kerbeos constrained delegation? With C# DirectoryEntry Constructor public DirectoryEntry (string path, string username, string password, System.DirectoryServices.AuthenticationTypes authenticationType); we could supply an authenticationType as Delegation although I still need to supply user name and password which I don't have.
windfly2006
  • 1,703
  • 3
  • 25
  • 48
  • 1
    Scenario 1 is possible but you have to code it up manually to accept the tickets by calling SSPI directly. Scenario 2 could in theory work with unconstrained delegation (maybe), but that's incredibly insecure. You should seriously consider just creating a one-way trust and enabling resource-based constrained delegation. – Steve Jun 23 '20 at 21:51
  • Thanks @Steve. in case a resource-based constrained delegation could be created, just wonder how we would do so at the code level with DirectoryEntry. I didn't see a way to specific the right client user token here. – windfly2006 Jun 24 '20 at 18:59
  • You would use the constructor overload that contains just the path. It'll infer the current user and attempt impersonation behind the scenes. – Steve Jun 24 '20 at 20:10
  • got it, thanks @Steve – windfly2006 Jun 25 '20 at 14:39
  • by the way @Steve, just wonder if you want to convert your comments to an answer to close this question out. If not, I could write answer based on your suggestion here. I won't be able to give solid example on the answers since we may not go this way and most probably we won't. Thanks again. – windfly2006 Jul 06 '20 at 20:41
  • converted to answer – Steve Jul 07 '20 at 15:38

1 Answers1

1

Scenario 1 is possible but you have to code it up manually to accept the tickets by calling SSPI directly.

Scenario 2 could in theory work with unconstrained delegation (maybe), but that's incredibly insecure.

You should seriously consider just creating a one-way trust and enabling resource-based constrained delegation. You would then use the constructor overload that contains just the path.

public DirectoryEntry (string path);

It'll infer the current user and attempt impersonation behind the scenes.

Steve
  • 4,463
  • 1
  • 19
  • 24