Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / March 2008

Tip: Looking for answers? Try searching our database.

Kerberos Impersonation versus Delegation

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Ralf Steinstraesser - 25 Mar 2008 14:14 GMT
Hi,

I have set up Kerberos Authentification for a multitier application.

Everything seems to be working fine: I am using integrated authentification
in the browser when connecting to an ASP.NET application, which in turn talks
to the endpoint of a webservice. The webservice impersonates the user and
opens the connection to a database, where  user rights are then inforced
properly through a user-role-model.

Now, there is on thing, which dazzles me: For testing purposes I have set up
my middle tier on two different machines. On one machine the
ImpersonationLevel is Delegation on the other it is Impersonation
(AuthenticationType=Kerberos in both cases). In both cases the rights in the
database are applied in properly.

I was expecting this to work only with Delegation. What exactly makes the
difference between the ImpersonationLevels 'Impersonation' and 'Delegation',
when using Kerberos?

I have read this article
http://msdn2.microsoft.com/en-us/library/ms730088.aspx but didn't really
grasp it. I understood that propagating the credentials from the middle tier
to the back end would only work using delegation, but in my case
impersonation works fine too.

I would appreciate any help greatly.

Regards,

Signature

Dipl.-Ing. Ralf Steinstraesser
Software Architekt
Bissantz & Company GmbH

Reply to this Message
Dominick Baier - 25 Mar 2008 17:54 GMT
Are you really distributing each service to a physical machine.

For local access (e.g. asp.net to service) it is impersonation. It is only
delegation if you flow credentials off box again.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hi,
>
[quoted text clipped - 26 lines]
>
> Regards,
Reply to this Message
Ralf Steinstraesser - 26 Mar 2008 09:16 GMT
Hi Dominick,

> Are you really distributing each service to a physical machine.

Yes, the setup is Machine1:Browser, Machine2:ASP.NET, Machine3:WebService,
Machine4: DB-Server.

> For local access (e.g. asp.net to service) it is impersonation. It is only
> delegation if you flow credentials off box again.

I am aware of that, but it rather seems to be a conceptual interpretation of
what is really happening.

For testing purposes I have set up ASP.NET and WebService together on one
machine. Now on Machine A: I get an ImpersonationLevel=Delegation, on another
Machine B: I get an ImpersonationLevel=Impersonation. I didn't find any
difference in AD settings so far.

And this is leading towards my original question: Can someone explain
her/his understanding of what makes the difference between delegation and
impersonation?

I am digging for the details, since there is a slight chance to deploy this
in loadbalanced webfarms and database clusters. I don't want to be looking
for answers, when this is productive.
Reply to this Message
Dominick Baier - 26 Mar 2008 15:21 GMT
impersonation means to impersonate the client to access local resources -
delegation only applies to remote resources. That's the easy distinction.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hi Dominick,
>
[quoted text clipped - 21 lines]
> this in loadbalanced webfarms and database clusters. I don't want to
> be looking for answers, when this is productive.
Reply to this Message
Ralf Steinstraesser - 26 Mar 2008 16:44 GMT
Thank you for your answers so far, Dominick.

I think I got it now. Somehow I failed to set up the SPNs for the
alternative middle-tier host properly. Therefor I saw Kerberos as
AuthenticationType, but not Delegation as ImpersonationLevel on that host.
Instead it showed only Impersonation, whereas it was Delegation for the
middletier with the proper SPN.

Another issue, which added to my confusion was, that when having ASP.NET and
WebService together on one machine, I am able to impersonate the Browser user
before querying the Database and I am getting properly applied user rights of
the database. I thought this is already the double hop, and would not work...

Signature

Dipl.-Ing. Ralf Steinstraesser
Software Architekt
Bissantz & Company GmbH

> impersonation means to impersonate the client to access local resources -
> delegation only applies to remote resources. That's the easy distinction.
[quoted text clipped - 29 lines]
> > this in loadbalanced webfarms and database clusters. I don't want to
> > be looking for answers, when this is productive.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.