delegation question

R

russell.lane

I'm building out a pretty standard n-tier ASP.Net web application. The
stack
includes application/presentation, biz logic, and data access layers on top
of an SQL server back end.

We want to use impersonation and delegation to forward the user's Windows
login through all layers in the stack. To support this, I'm setting up a
set of domain accounts which we will use to create SPNs for the various
services
in the various layers.

At this point, I'm trying to figure out how many, and what, domain accounts
I need to use in creating the SPNs. Is there a best practice paper on this?

I do have one very specific question:

It's not clear to me that, for our purposes, there's any need to establish
different domain accounts for the business logic and data access layers.
Can I create one account for both of these layers and create SPNs for both
business logic and data access layers using the same domain account?

For example -- assume I've created an account called "websvc". Also assume
that business logic services run on server1 and data access services run on
server2. Both services run on their respective hosts in dedicated
application pools that run under the "websvc" account.

Can I do this:

setspn -A HTTP/server1 mydomain\websvc
setspn -A HTTP/server1.mydomain.com mydomain\websvc

AND this:

setspn -A HTTP/server2 mydomain\websvc
setspn -A HTTP/server2.mydomain.com mydomain\websvc

and, if I do that, will the business logic layer be able to delegate to the
data access layer? Do I have to add "websvc" to it's own list of accounts
that it can delegate to to make that work?

I've cross-posted this on *.webservices.

Many thanks, I look forward to your replies.

Russell Lane
(e-mail address removed)
 
B

Bruce Barker

best practice is to never give more security access than required. if only
the bi layer needs access to sqlserver, than only the bi layer should have
access.

in asp.net (on 2003), there are several options for controling the request
thread security

set impersonation=false set in web config

1) default - use the asp.net service account
2) specify app pool for the website, and asp.net will use its creditials

set impersonation=true set in web config

1) specify a user name and password in web config - asp.net will use the
specified login.
2) no username specified, asp.net will use iis assigned identity for
request - will either be iis service acct if anon, or users authenicated
account if not. to forward these creditials to a network resource that is on
another server will requiire basic authentication or Kerberos with delation
enabled.

-- bruce (sqlwork.com)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top