473,385 Members | 1,445 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > .net framework > questions > delegation question

Join Bytes to post your question to a community of 473,385 software developers and data experts.

delegation question

I'm building out a pretty standard n-tier web application. The stack
includes application/presentation, biz logic, and data access layers on top
of an SQL server back end.

We want to use impersonation and delegation to forward the user's Windows
login through all layers in the stack. To support this, I'm setting up a
set of domain accounts which we use to create SPNs for the various services
in the various layers.

At this point, I'm trying to figure out how many, and what, domain accounts
I need to use in creating the SPNs. Is there a best practice paper on this?

I do have one very specific question:

It's not clear to me that, for our purposes, there's any need to establish
different domain accounts for the business logic and data access layers.
Can I create one account for both of these layers and create SPNs for both
business logic and data access layers using the same domain account?

For example -- assume I've created an account called "websvc". Also assume
that business logic services run on server1 and data access services run on
server2. Both services run on their respective hosts in dedicated
application pools the run under the "websvc" account.

Can I do this:

setspn -A HTTP/server1 mydomain\websvc
setspn -A HTTP/server1.mydomain.com mydomain\websvc

AND this:

setspn -A HTTP/server2 mydomain\websvc
setspn -A HTTP/server2.mydomain.com mydomain\websvc

and, if I do that, will the business logic layer be able to delegate to the
data access layer? Do I have to add "websvc" to it's own list of accounts
that it can delegate to to make that work?

Many thanks, I look forward to your replies.

Russell Lane
rl***@elizacorp.com
Jan 13 '06 #1
2 2414
Hi Russell,

Welcome to MSDN newsgroup.
Regarding on the question you mentioned, for N-TIER application which has
front presentation, middle business logic and backend data access layer,
we'll suggest make the client user authentication and role based service
access(authorization) at as front (earilier) tier as possible. There're two
reasons:

1. Forward client credential from front presentation app to back end layer
which need mutliple hops (cross layers) are very difficult to configure and
maintain...

2. Forward credential or authenicated user identity accross mulitple tiers
also hit application's performance....

And if possible, we suggest you also consider make one tier (maybe the
business layer between backend db layer) use Trusted Sub System Model...
(configure the upstream service or app use a fixed identity to request the
downstream service or component ....)...

You can find some related application & service's archecture's

#patterns & practices: Distributed Applications
https://msdn.microsoft.com/practices...s/default.aspx

https://msdn.microsoft.com/architecture/

In addition, if you do need to forward client user's authenitdated
credential or ticket across multiple application or service tiers, we need
to consider the windows restricted kerberos delegation. Here are some
related tech reference:

For general info on ASP.NET delegation:

#ASP.NET Delegation
http://msdn.microsoft.com/library/en...onaspnetdelega...
#How to configure an ASP.NET application for a delegation scenario
http://support.microsoft.com/default...b;en-us;810572
#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/library/en...ht000023.asp?f...
ue
When the webserver is WIN2K, there needs more configuration due to the
win2k server's particular OS security setting....

#How To Implement Kerberos Delegation for Windows 2000
http://msdn.microsoft.com/library/en...mod19.asp?fram...
#Understanding Kerberos Credential Delegation in Windows 2000 Using the
TktView Utility
http://msdn.microsoft.com/msdnmag/is...y/default.aspx

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
From: "russell.lane" <ru**********@nospam.nospam>
Subject: delegation question
Date: Fri, 13 Jan 2006 11:00:19 -0500
Lines: 44
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u4**************@tk2msftngp13.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: mail.elizacorp.com 63.175.232.187
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msft ngp13.phx.gbl
microsoft.public.dotnet.framework.webservices:1334 7
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

I'm building out a pretty standard n-tier web application. The stack
includes application/presentation, biz logic, and data access layers on top
of an SQL server back end.

We want to use impersonation and delegation to forward the user's Windows
login through all layers in the stack. To support this, I'm setting up a
set of domain accounts which we use to create SPNs for the various services
in the various layers.

At this point, I'm trying to figure out how many, and what, domain accounts
I need to use in creating the SPNs. Is there a best practice paper on this?

I do have one very specific question:

It's not clear to me that, for our purposes, there's any need to establish
different domain accounts for the business logic and data access layers.
Can I create one account for both of these layers and create SPNs for both
business logic and data access layers using the same domain account?

For example -- assume I've created an account called "websvc". Also assume
that business logic services run on server1 and data access services run on
server2. Both services run on their respective hosts in dedicated
application pools the run under the "websvc" account.

Can I do this:

setspn -A HTTP/server1 mydomain\websvc
setspn -A HTTP/server1.mydomain.com mydomain\websvc

AND this:

setspn -A HTTP/server2 mydomain\websvc
setspn -A HTTP/server2.mydomain.com mydomain\websvc

and, if I do that, will the business logic layer be able to delegate to the
data access layer? Do I have to add "websvc" to it's own list of accounts
that it can delegate to to make that work?

Many thanks, I look forward to your replies.

Russell Lane
rl***@elizacorp.com

Jan 16 '06 #2


"russell.lane" wrote:
I'm building out a pretty standard n-tier web application. The stack
includes application/presentation, biz logic, and data access layers on top
of an SQL server back end.

We want to use impersonation and delegation to forward the user's Windows
login through all layers in the stack. To support this, I'm setting up a
set of domain accounts which we use to create SPNs for the various services
in the various layers.

At this point, I'm trying to figure out how many, and what, domain accounts
I need to use in creating the SPNs. Is there a best practice paper on this?

I do have one very specific question:

It's not clear to me that, for our purposes, there's any need to establish
different domain accounts for the business logic and data access layers.
Can I create one account for both of these layers and create SPNs for both
business logic and data access layers using the same domain account?

For example -- assume I've created an account called "websvc". Also assume
that business logic services run on server1 and data access services run on
server2. Both services run on their respective hosts in dedicated
application pools the run under the "websvc" account.

Can I do this:

setspn -A HTTP/server1 mydomain\websvc
setspn -A HTTP/server1.mydomain.com mydomain\websvc

AND this:

setspn -A HTTP/server2 mydomain\websvc
setspn -A HTTP/server2.mydomain.com mydomain\websvc

and, if I do that, will the business logic layer be able to delegate to the
data access layer? Do I have to add "websvc" to it's own list of accounts
that it can delegate to to make that work?

Many thanks, I look forward to your replies.

Russell Lane
rl***@elizacorp.com

Apr 2 '06 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
How does "delegation" work as per the FAQ?
by: Rene Pijlman | last post by:
Section 6.5 "What is delegation?" of the FAQ says: "Python programmers can easily implement delegation. For example, the following class implements a class that behaves like a file but converts...
Python
6
Delegation
by: DPfan | last post by:
Is the following so-called "delegation"? If not how to make some changes so that the F class delegates its operation to an E instance. On the other hand the following code runs without any...
C / C++
3
delegation
by: Tony Johansson | last post by:
Hello! What does it mean with delegation and can you give me one example. //Tony
C / C++
0
Kerberos Delegation Question
by: Preston Park | last post by:
We are trying to get windows authentication to work with Reporting Services and Analysis Services in a way that may be unsupported. Setup: There are two domains: A and B. There are two...
ASP.NET
4
Delegation: the usual double hop question...
by: JimLad | last post by:
In advance, sorry if this is the wrong group... SQL Server 2000 SP3 on Server 2003. SQL Account and Computer both Trusted for Delegation. Given SPN. IIS 5.0 on W2000. Kerberos enabled....
ASP.NET
6
File Server delegation
by: Marc Castrechini | last post by:
This is a classic double hop delegation issue, however its the first time we are setting this up so we are doing something incorrectly. If we run through the IDE or using a localhost path on the...
ASP.NET
3
Impersonation and Delegation with ASP.NET 2.0 on 2 Servers
by: Patrick | last post by:
Hello I have the following scenario - SQL 2005 server (serversql) - Windows 2003 with IIS (serveriis) - Windows 2003 ADS (serverads) I want to connect to an intranet application using NTML...
ASP.NET
5
How to use delegation?
by: =?Utf-8?B?TWF5ZXI=?= | last post by:
Hi, I'm using two form classes and I would like all methods of the second class (the child class) to be managed by the first class (the main class). Is delegation the best solution for me? If so,...
Visual Basic .NET
13
Delegation question...
by: barcaroller | last post by:
What is the common way/design-pattern (if any) in C++ for delegating function calls that are not handled by a certain class. Public inheritance would be one way but not all classes are meant to...
C / C++
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!