Configuration Checklists

Previous page
Table of content
Next page
[Previous] [Next]

The following checklists detail some settings that must be applied to make the end-to-end Kerberos example operational. If things have not gone as they should, consult these checklists to verify that the settings are configured correctly.

Client Settings

There is very little to configure at the client. We purposefully designed the application that way to reduce administrative costs. Check that the following is true:

  • Client operating system is Windows 2000 Professional.

  • Client computer is a member of the domain.

  • The browser is either Internet Explorer 5 or later (for Kerberos authentication to work) or another browser capable of Basic authentication (for Basic authentication).

Web Server Settings

Check that the following is true for delegation to work correctly with IIS 5. Many of these settings are configured automatically by the ExAirConfig.vbs script, which is included on the companion CD.

  • Server operating system is Windows 2000 Server or Windows 2000 Advanced Server.

  • Server is a member of the domain.

  • Server is configured as Trusted For Delegation in the Active Directory Users And Computers tool.

  • Web server is configured to run the ExAirHR Web application with High (Isolated) application protection.

  • The COM+ application process, named IIS-{Default Web Site//Root/ExAirHR}, handling the ExAirHR Web application is marked to execute as the AppAccount identity. You can set this in the Component Services tool.

  • The COM+ application process handling the ExAirHR Web application must be configured to use delegation. This is the Impersonation Level setting on the COM+ application in the Component Services tool.

  • The ExAirHR COM+ application proxy is loaded.

  • The ExAirHR Web application is marked as requiring Windows Integrated authentication, and the ExAirHR Legacy virtual directory is marked as requiring Basic authentication and, optionally, SSL/TLS.

Middleware Server Settings

Check that the following is true for delegation to work correctly with the COM+ component's interaction with SQL Server on the DBServer computer:

  • Server operating system is Windows 2000 Server or Windows 2000 Advanced Server.

  • Server is a member of the domain.

  • Server is configured as Trusted For Delegation in the Active Directory Users And Computers tool.

  • The ExAirHR COM+ application is installed.

  • There is an Everyone role that contains the Everyone group.

  • The ExAirHR COM+ application is configured to support delegation.

  • The ExAirHR COM+ application is configured to require access checks.

  • The DBQuery.GenericQuery COM+ component enforces component-level access checks, and the Everyone role has access to the component and its methods.

  • The ACLs on DBQuery.dll must allow Everyone execute access.

  • For debugging purposes, you might want to set the Minutes Until Idle Shutdown option to 0 in the Advanced options of the application properties. As soon as a request has finished, the application will unload, making it easier to build a new version if an update is required. It also gives you great feedback as to when the application is starting and stopping.

Database Server Settings

Check that the following is true for security to work correctly with SQL Server 7 or SQL Server 2000 on the DBServer computer. Remember that SQL Server must be configured so that it can accept a trusted connection from the COM+ component on the Middleware computer.

  • Server operating system is Windows 2000 Server or Windows 2000 Advanced Server.

  • Server is a member of the domain.

  • There is no need to make this computer trusted for delegation.

  • SQL Server 7 or SQL Server 2000 is installed.

  • SQL Server is configured to run as LocalSystem, and it uses the Named Pipes network library. If you want to use SQL Server 2000 and want to change the example application such that you can delegate the client's identity out of SQL Server 2000, you must use the Super Socket network library.

  • SQL Server is configured to support Windows Integrated authentication, not mixed authentication.

  • The ExAirHR database is loaded.

  • The Alice and Administrator accounts are valid logins to SQL Server, and the default database for each is ExAirHR.

  • The Alice and Administrator accounts are valid database users.

  • Alice and the Administrator have execute permission on the spGetCurrentUser stored procedure.


Previous page
Table of content
Next page
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Adobe After Effects 7.0 Studio Techniques
An Introduction to Design Patterns in C++ with Qt 4
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Sap Bw: a Step By Step Guide for Bw 2.0
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy