By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,636 Members | 1,915 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,636 IT Pros & Developers. It's quick & easy.

delegation question

P: n/a
I'm building out a pretty standard n-tier web application. The stack
includes application/presentation, biz logic, and data access layers on top
of an SQL server back end.

We want to use impersonation and delegation to forward the user's Windows
login through all layers in the stack. To support this, I'm setting up a
set of domain accounts which we use to create SPNs for the various services
in the various layers.

At this point, I'm trying to figure out how many, and what, domain accounts
I need to use in creating the SPNs. Is there a best practice paper on this?

I do have one very specific question:

It's not clear to me that, for our purposes, there's any need to establish
different domain accounts for the business logic and data access layers.
Can I create one account for both of these layers and create SPNs for both
business logic and data access layers using the same domain account?

For example -- assume I've created an account called "websvc". Also assume
that business logic services run on server1 and data access services run on
server2. Both services run on their respective hosts in dedicated
application pools the run under the "websvc" account.

Can I do this:

setspn -A HTTP/server1 mydomain\websvc
setspn -A HTTP/server1.mydomain.com mydomain\websvc

AND this:

setspn -A HTTP/server2 mydomain\websvc
setspn -A HTTP/server2.mydomain.com mydomain\websvc

and, if I do that, will the business logic layer be able to delegate to the
data access layer? Do I have to add "websvc" to it's own list of accounts
that it can delegate to to make that work?

Many thanks, I look forward to your replies.

Russell Lane
rl***@elizacorp.com
Jan 13 '06 #1
Share this Question
Share on Google+
2 Replies


P: n/a
Hi Russell,

Welcome to MSDN newsgroup.
Regarding on the question you mentioned, for N-TIER application which has
front presentation, middle business logic and backend data access layer,
we'll suggest make the client user authentication and role based service
access(authorization) at as front (earilier) tier as possible. There're two
reasons:

1. Forward client credential from front presentation app to back end layer
which need mutliple hops (cross layers) are very difficult to configure and
maintain...

2. Forward credential or authenicated user identity accross mulitple tiers
also hit application's performance....

And if possible, we suggest you also consider make one tier (maybe the
business layer between backend db layer) use Trusted Sub System Model...
(configure the upstream service or app use a fixed identity to request the
downstream service or component ....)...

You can find some related application & service's archecture's

#patterns & practices: Distributed Applications
https://msdn.microsoft.com/practices...s/default.aspx

https://msdn.microsoft.com/architecture/

In addition, if you do need to forward client user's authenitdated
credential or ticket across multiple application or service tiers, we need
to consider the windows restricted kerberos delegation. Here are some
related tech reference:

For general info on ASP.NET delegation:

#ASP.NET Delegation
http://msdn.microsoft.com/library/en...onaspnetdelega...
#How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/default...b;en-us;810572
#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/library/en...ht000023.asp?f...
ue
When the webserver is WIN2K, there needs more configuration due to the
win2k server's particular OS security setting....

#How To Implement Kerberos Delegation for Windows 2000
http://msdn.microsoft.com/library/en...mod19.asp?fram...
#Understanding Kerberos Credential Delegation in Windows 2000 Using the
TktView Utility
http://msdn.microsoft.com/msdnmag/is...y/default.aspx

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
From: "russell.lane" <ru**********@nospam.nospam>
Subject: delegation question
Date: Fri, 13 Jan 2006 11:00:19 -0500
Lines: 44
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u4**************@tk2msftngp13.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: mail.elizacorp.com 63.175.232.187
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msft ngp13.phx.gbl
microsoft.public.dotnet.framework.webservices:1334 7
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

I'm building out a pretty standard n-tier web application. The stack
includes application/presentation, biz logic, and data access layers on top
of an SQL server back end.

We want to use impersonation and delegation to forward the user's Windows
login through all layers in the stack. To support this, I'm setting up a
set of domain accounts which we use to create SPNs for the various services
in the various layers.

At this point, I'm trying to figure out how many, and what, domain accounts
I need to use in creating the SPNs. Is there a best practice paper on this?

I do have one very specific question:

It's not clear to me that, for our purposes, there's any need to establish
different domain accounts for the business logic and data access layers.
Can I create one account for both of these layers and create SPNs for both
business logic and data access layers using the same domain account?

For example -- assume I've created an account called "websvc". Also assume
that business logic services run on server1 and data access services run on
server2. Both services run on their respective hosts in dedicated
application pools the run under the "websvc" account.

Can I do this:

setspn -A HTTP/server1 mydomain\websvc
setspn -A HTTP/server1.mydomain.com mydomain\websvc

AND this:

setspn -A HTTP/server2 mydomain\websvc
setspn -A HTTP/server2.mydomain.com mydomain\websvc

and, if I do that, will the business logic layer be able to delegate to the
data access layer? Do I have to add "websvc" to it's own list of accounts
that it can delegate to to make that work?

Many thanks, I look forward to your replies.

Russell Lane
rl***@elizacorp.com

Jan 16 '06 #2

P: n/a


"russell.lane" wrote:
I'm building out a pretty standard n-tier web application. The stack
includes application/presentation, biz logic, and data access layers on top
of an SQL server back end.

We want to use impersonation and delegation to forward the user's Windows
login through all layers in the stack. To support this, I'm setting up a
set of domain accounts which we use to create SPNs for the various services
in the various layers.

At this point, I'm trying to figure out how many, and what, domain accounts
I need to use in creating the SPNs. Is there a best practice paper on this?

I do have one very specific question:

It's not clear to me that, for our purposes, there's any need to establish
different domain accounts for the business logic and data access layers.
Can I create one account for both of these layers and create SPNs for both
business logic and data access layers using the same domain account?

For example -- assume I've created an account called "websvc". Also assume
that business logic services run on server1 and data access services run on
server2. Both services run on their respective hosts in dedicated
application pools the run under the "websvc" account.

Can I do this:

setspn -A HTTP/server1 mydomain\websvc
setspn -A HTTP/server1.mydomain.com mydomain\websvc

AND this:

setspn -A HTTP/server2 mydomain\websvc
setspn -A HTTP/server2.mydomain.com mydomain\websvc

and, if I do that, will the business logic layer be able to delegate to the
data access layer? Do I have to add "websvc" to it's own list of accounts
that it can delegate to to make that work?

Many thanks, I look forward to your replies.

Russell Lane
rl***@elizacorp.com

Apr 2 '06 #3

This discussion thread is closed

Replies have been disabled for this discussion.