Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > delegation question

Reply
Thread Tools

delegation question

 
 
russell.lane
Guest
Posts: n/a
 
      01-13-2006
I'm building out a pretty standard n-tier ASP.Net web application. The
stack
includes application/presentation, biz logic, and data access layers on top
of an SQL server back end.

We want to use impersonation and delegation to forward the user's Windows
login through all layers in the stack. To support this, I'm setting up a
set of domain accounts which we will use to create SPNs for the various
services
in the various layers.

At this point, I'm trying to figure out how many, and what, domain accounts
I need to use in creating the SPNs. Is there a best practice paper on this?

I do have one very specific question:

It's not clear to me that, for our purposes, there's any need to establish
different domain accounts for the business logic and data access layers.
Can I create one account for both of these layers and create SPNs for both
business logic and data access layers using the same domain account?

For example -- assume I've created an account called "websvc". Also assume
that business logic services run on server1 and data access services run on
server2. Both services run on their respective hosts in dedicated
application pools that run under the "websvc" account.

Can I do this:

setspn -A HTTP/server1 mydomain\websvc
setspn -A HTTP/server1.mydomain.com mydomain\websvc

AND this:

setspn -A HTTP/server2 mydomain\websvc
setspn -A HTTP/server2.mydomain.com mydomain\websvc

and, if I do that, will the business logic layer be able to delegate to the
data access layer? Do I have to add "websvc" to it's own list of accounts
that it can delegate to to make that work?

I've cross-posted this on *.webservices.

Many thanks, I look forward to your replies.

Russell Lane
http://www.velocityreviews.com/forums/(E-Mail Removed)


 
Reply With Quote
 
 
 
 
Bruce Barker
Guest
Posts: n/a
 
      01-13-2006
best practice is to never give more security access than required. if only
the bi layer needs access to sqlserver, than only the bi layer should have
access.

in asp.net (on 2003), there are several options for controling the request
thread security

set impersonation=false set in web config

1) default - use the asp.net service account
2) specify app pool for the website, and asp.net will use its creditials

set impersonation=true set in web config

1) specify a user name and password in web config - asp.net will use the
specified login.
2) no username specified, asp.net will use iis assigned identity for
request - will either be iis service acct if anon, or users authenicated
account if not. to forward these creditials to a network resource that is on
another server will requiire basic authentication or Kerberos with delation
enabled.

-- bruce (sqlwork.com)




"russell.lane" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I'm building out a pretty standard n-tier ASP.Net web application. The
> stack
> includes application/presentation, biz logic, and data access layers on
> top
> of an SQL server back end.
>
> We want to use impersonation and delegation to forward the user's Windows
> login through all layers in the stack. To support this, I'm setting up a
> set of domain accounts which we will use to create SPNs for the various
> services
> in the various layers.
>
> At this point, I'm trying to figure out how many, and what, domain
> accounts
> I need to use in creating the SPNs. Is there a best practice paper on
> this?
>
> I do have one very specific question:
>
> It's not clear to me that, for our purposes, there's any need to establish
> different domain accounts for the business logic and data access layers.
> Can I create one account for both of these layers and create SPNs for both
> business logic and data access layers using the same domain account?
>
> For example -- assume I've created an account called "websvc". Also
> assume
> that business logic services run on server1 and data access services run
> on
> server2. Both services run on their respective hosts in dedicated
> application pools that run under the "websvc" account.
>
> Can I do this:
>
> setspn -A HTTP/server1 mydomain\websvc
> setspn -A HTTP/server1.mydomain.com mydomain\websvc
>
> AND this:
>
> setspn -A HTTP/server2 mydomain\websvc
> setspn -A HTTP/server2.mydomain.com mydomain\websvc
>
> and, if I do that, will the business logic layer be able to delegate to
> the
> data access layer? Do I have to add "websvc" to it's own list of accounts
> that it can delegate to to make that work?
>
> I've cross-posted this on *.webservices.
>
> Many thanks, I look forward to your replies.
>
> Russell Lane
> (E-Mail Removed)
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Delegation question... barcaroller C++ 12 05-27-2008 07:47 AM
delegation question, where I want prototype style delegation Sam Roberts Ruby 4 05-07-2008 05:48 AM
Delegation: the usual double hop question... JimLad ASP .Net 4 11-02-2006 06:29 PM
Kerberos Delegation Question =?Utf-8?B?UHJlc3RvbiBQYXJr?= ASP .Net 0 06-17-2005 11:13 PM
delegation class question christopher diggins C++ 2 04-29-2004 03:42 PM



Advertisments