Re: Impersonation and double hop
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 3 Jul 2007 13:14:27 -0500
Glad you fixed it. I couldn't tell from your original post how you were
actually getting the security context for the user to impersonate, so that's
what I was driving at. Had I known you were using LogonUser, I would have
recommended that first. :)
Regarding delegation vs. the approach you are using now, I think the
argument there is that your current solution requires that the user provides
their plaintext password to your service. If the web services tier used IWA
auth, then this would not be true, but you would need kerberos delegation.
So, it is a balancing act for the security guys to decide which is less
heinous. Kerberos delegation when used in constrained mode is not really
very scary at all, especially if the highly privileged accounts in the
forest are marked as "sensitive and cannot be delegated".
However, the tier that is doing the web service client calls may not be
capable of doing IWA auth, so that whole point might be moot.
Best of luck!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Glenn Thimmes" <gthimmes@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eAFIR0YvHHA.4532@xxxxxxxxxxxxxxxxxxxxxxx
Actually we are using Anonymous and requiring that domain username and
password is provided from the client to the server so that this
impersonation can be done for the second hop.
I have found the solution to this problem from another post in this
group. The problem was that my call to LogonUser was not generating
network credentials. I was using LOGON32_LOGON_NETWORK, this type of logon
doesn't have network credentials. I switched to
LOGON32_LOGON_NETWORK_CLEARTEXT.
This fixed my problem.
-Glenn
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uHW08WYvHHA.784@xxxxxxxxxxxxxxxxxxxxxxx
What type of authentication are you using in IIS with your web services?
Are you using basic or IWA?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Glenn Thimmes" <gthimmes@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:e3d64nXvHHA.3364@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
I need a little advice in figuring out the right solution for a problem
that I am facing. I have a 3 tier application. Client, Web Service
middle layer, and SQL Server. I have been using a trusted account to get
from the WS to SQL, but now I have new requirements for getting user
credentials all the way to SQL Server. I was under the impression that
by passing the user login name and password to the middle layer, it
could impersonate the user and do a single hop to the SQL Server
machine.
Unfortunately, this appears to still be a double hop scenario, even
though the middle layer has the username and password required for the
domain account. Is this correct?
And if that is the case, I suppose my only solution is to use Kerberos
delegation, which I am concerned that a highly competent and security
obsessed IT staff will refuse to set up for us during an onsite customer
implementation.
Am I missing any pieces to the puzzle? Any advice would be appreciated.
Thanks,
Glenn
.
- References:
- Impersonation and double hop
- From: Glenn Thimmes
- Re: Impersonation and double hop
- From: Joe Kaplan
- Re: Impersonation and double hop
- From: Glenn Thimmes
- Impersonation and double hop
- Prev by Date: ASPNET account is being disabled remotely
- Next by Date: How do delete registered users?
- Previous by thread: Re: Impersonation and double hop
- Next by thread: ASPNET account is being disabled remotely
- Index(es):
Relevant Pages
|
