Ayende @ Rahien

Ferret Chere commented on The evil tricks of “It Works On My Machine”, in reverse

Fri, 17 Jun 2011 01:34:32 GMT

Without meaning to sound like a snot about it, it's mildly reassuring to see that even developers of your skill and experience get flustered by “It Works On My Machine” at times.

Bogdan Cucosel commented on The evil tricks of “It Works On My Machine”, in reverse

Thu, 16 Jun 2011 12:22:51 GMT

If runnning with impersonation you should check out Kerberos Delegation and like Mike said set the spn accordingly.

Mike Brown commented on The evil tricks of “It Works On My Machine”, in reverse

Wed, 15 Jun 2011 13:09:32 GMT

You have run into a security limitation in Windows. It's for your own good, if any application was able to wave your kerberos token around willy nilly it'd be easier for a cracker to elevate privileges. This situation only arises when you cross machine boundaries and then cross application boundaries (same machine or not). This is why you don't see the problem locally. You want to set a Server Principal Name on the first leg of the trip so that it can do full delegation. This involves running the application under an account and using the setspn command. This article on technet shows the steps http://technet.microsoft.com/en-us/library/cc786828(WS.10).aspx (ignore the fact that it refers to server 2003 it works in 2008 and 08R2 as well). Hope this helps.

David Tellander commented on The evil tricks of “It Works On My Machine”, in reverse

Wed, 15 Jun 2011 11:49:23 GMT

Hi, this sounds a lot like an issue that turned my hair gray a couple of months ago. In order to pass credentials from server1 to server2 one must use Kerberos authentication, since NTLM does not support delegation of impersonated credentials. A couple of links that describe what you'll need to configure if this turns out to be your problem: http://msdn.microsoft.com/en-us/library/ms998355.aspx http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx

Ayende Rahien commented on The evil tricks of “It Works On My Machine”, in reverse

Tue, 14 Jun 2011 11:50:47 GMT

Frank, Oh yes, I run into that, for sure, but that wasn't the only thing. I cannot figure out the package credentials thingie at all. Once I work around that, I got the loopback nonsense.

Frank commented on The evil tricks of “It Works On My Machine”, in reverse

Tue, 14 Jun 2011 11:47:43 GMT

Hi Ayende, if I am correct you are doing an authenticated web request from a server to itself? It might be that you are affected by the loopback check they added in .NET 3.5 SP1. It has bitten us in the *ss as well. See this link for the loopback check they added (and a possible fix): http://msdn.microsoft.com/en-us/library/cc982052(v=vs.90).aspx This URL has some more fixes: http://support.microsoft.com/kb/896861

enslam commented on The evil tricks of “It Works On My Machine”, in reverse

Tue, 14 Jun 2011 10:17:19 GMT

Have you set identity impersonate="true" in the web.config?

grega_g commented on The evil tricks of “It Works On My Machine”, in reverse

Tue, 14 Jun 2011 10:11:17 GMT

evil blog engine truncated my example. So you add apppool as user like this: iis apppool\\[name of application pool] and click Check Names

grega_g commented on The evil tricks of “It Works On My Machine”, in reverse

Tue, 14 Jun 2011 10:08:49 GMT

start->run->mmc->File->Add/remove snapin -> Certificates->Select account Than select certificate you want to use, right click->Manage private keys... Than add App pool of aplication than you want to grant permissions to: iis AppPool\