Impersonation

[Kevin Vogler]

I'm working with a pre-existing custom business portal that's part asp.net,
part classic asp. Authentication is Asp.net Forms.

The client has multiple locations each with multiple users.

The client desires to add MS Dynamics Business Portal (essentially
Sharepoint w/MS Greatplains).

The client also desires to buy a single CAL for each location (not each
user). For example: Store 1 has five users with asp.net credentials for the
existing asp.net entry point and each of the five users would be linked to a
single Windows/Business Portal user "Store_1"

The Store 1 user "Bob" would log into the asp.net site and would then be
programatically be logged in to windows as "Store_1" and could then access
the Sharepoint/GP Business Portal pages.

I'm assuming that all of this resides on a single domain. My knowledge of
the architecture is sketchy at this point.

I know that I could link the store users with the Windows users, enable
impersonation and programatically log them into the domain.
What is the best practice in this situation?
How do you maintain it and keep everything in sync other than "Carefully"?
Store the Windows credentials encrypted and decrypt?

Thanks in advance for any guidance.

Kevin Vogler

 

[bruce barker]

you do not login to web sites. you authenticate on every request. you
would need a single signon server to allow the same login to work for
your site and the sharepoint site.

your site could be a reverse proxy to the sharepoint, but I believe this
is a violation of your cal license (actually any way you approach this
is probably a violation).


-- bruce (sqlwork.com)

 

[Gregory A. Beamer]

I'm working with a pre-existing custom business portal that's part
asp.net, part classic asp. Authentication is Asp.net Forms.

The client has multiple locations each with multiple users.

The client desires to add MS Dynamics Business Portal (essentially
Sharepoint w/MS Greatplains).

The client also desires to buy a single CAL for each location (not
each user). For example: Store 1 has five users with asp.net
credentials for the existing asp.net entry point and each of the five
users would be linked to a single Windows/Business Portal user
"Store_1"

The Store 1 user "Bob" would log into the asp.net site and would then
be programatically be logged in to windows as "Store_1" and could then
access the Sharepoint/GP Business Portal pages.

I'm assuming that all of this resides on a single domain. My knowledge
of the architecture is sketchy at this point.

I know that I could link the store users with the Windows users,
enable impersonation and programatically log them into the domain.
What is the best practice in this situation?
How do you maintain it and keep everything in sync other than
"Carefully"? Store the Windows credentials encrypted and decrypt?

Thanks in advance for any guidance.

There is both a technical and a legal issue here.

The legal issue is whether or not the license will cover the users in
this manner. And this could be a big issue, as the fines, if caught, can
be fairly steep.

From a technical standpoint, you will have to intercept the call and
impersonate the user as a particular store. This is not that hard, but
maintaining the solution is, as every personnel change has to be
properly provisioned. Perhaps this is what you were thinking when you
stated "carefully".

MS solved the problem years ago in Commerce Server, but you cannot
easily slap the provisioning bits on top of your solution.

Peace and Grace,

 

[Kevin Vogler]

Thanks the responses.

Re: legal issues

We have every intention of keeping to the letter of the license agreements
and will clear everything with MS to make sure we are compliant.

In this case we aren't talking about 3 people simultaneously logging in as
the same Windows user. We're looking at a scenario where a day manager would
log in in the morning and then log out and then an evening manager would log
in. How would this be different than User A loggin in with User A's
credentials, loggin out and then User B loggin in with User A's credentials
or is that a violation?

Thanks for the feedback.

Kevin

 

[Kevin Vogler]

Thanks for the response and the hand slap.I use "login" generically because
that's what MS calls their asp net controls.

I'll investigate further.

Thanks,
Kevin

 

[Gregory A. Beamer]

We have every intention of keeping to the letter of the license
agreements and will clear everything with MS to make sure we are
compliant.

I don't doubt you want to keep it legal. I just wanted to make sure you
checked out the legal issues before proceeding with any plan.

In this case we aren't talking about 3 people simultaneously logging
in as the same Windows user. We're looking at a scenario where a day
manager would log in in the morning and then log out and then an
evening manager would log in. How would this be different than User A
loggin in with User A's credentials, loggin out and then User B loggin
in with User A's credentials or is that a violation?

I am not a licensing expert, so I would talk to a licensing specialist
at the local Microsoft office or a licensing partner. They can better
handle how to license things properly so it is the best for the company.

I do know if a CAL is linked to a windows account, you generally need a
CAL per person, no matter whether a user is logging in only once per day
and only one user per store is using the system at any one time. There
are, however, CALs that are for concurrent users and not actual
individuals, so it varies.

If you had the option of a single logon for the system, where the user
logged in as Store###, that might be an option to keep it legal, but
then you have to change passwords when employees leave and notify the
current employees, so it is not always the best option.

Mapping accounts is a bit more of a maintenance nightmare (or
potentially so), which is what you end up with impersonation.

I would iron out any legal issues with a licensing expert first, as that
might alter your solution.

Peace and Grace,

 

[Kevin Vogler]

Gregory,

Thanks again for the feedback. I'm checking out the licensing issues and am
aware of the maintenance challenge. Since the store employees don't have
access to the Windows credentials, it shouldn't be that much of an issue
when an employee leaves. Just disable the asp.net credentials.

Thanks again,

Kevin