Security
Security |
|
Windows NT 4.0 does not allow delegation of security credentials. That is, it does not allow a server to pass your security information onto another server. Windows 2000 Server, in contrast, allows credential delegation in certain situations.
A common scenario is when IIS 5.0 is trying to access a resource on a network server—such as an Access database—while using integrated Windows authentication, Anonymous, or Basic authentication, regardless of particular DACL issues. See the following figure.
Table 9.4 shows which authentication protocols allow access to remote resources:
Table 9.4 Authentication Protocols That Can Access Remote Resources
Protocol |
Access Remote Resource? |
Comment |
| Anonymous (IIS control password enabled) | No | Windows subauthentication DLL does not allow this. |
| Anonymous (IIS control password disabled) | Yes | Can make one “hop” onto a remote server. |
| Basic | Yes | Can make one “hop” onto a remote server. |
| Integrated Windows | Depends | No, if NTLM is used; yes, if the Kerberos v5 authentication protocol is used. If Kerberos v5 is used throughout, then the request can be fully delegated to many remote servers. |
| Digest | No | Windows subauthentication DLL does not allow this. |
| Certificate Mapping (IIS 5.0 mapper) |
Yes | Can make one “hop” onto a remote server. |
| Certificate Mapping (Windows Mapper) | No | Windows mapping does not allow access to the user’s password, so the password cannot be delegated. |