|
.net
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
delegation questionstack includes application/presentation, biz logic, and data access layers on top of an SQL server back end. We want to use impersonation and delegation to forward the user's Windows login through all layers in the stack. To support this, I'm setting up a set of domain accounts which we will use to create SPNs for the various services in the various layers. At this point, I'm trying to figure out how many, and what, domain accounts I need to use in creating the SPNs. Is there a best practice paper on this? I do have one very specific question: It's not clear to me that, for our purposes, there's any need to establish different domain accounts for the business logic and data access layers. Can I create one account for both of these layers and create SPNs for both business logic and data access layers using the same domain account? For example -- assume I've created an account called "websvc". Also assume that business logic services run on server1 and data access services run on server2. Both services run on their respective hosts in dedicated application pools that run under the "websvc" account. Can I do this: setspn -A HTTP/server1 mydomain\websvc setspn -A HTTP/server1.mydomain.com mydomain\websvc AND this: setspn -A HTTP/server2 mydomain\websvc setspn -A HTTP/server2.mydomain.com mydomain\websvc and, if I do that, will the business logic layer be able to delegate to the data access layer? Do I have to add "websvc" to it's own list of accounts that it can delegate to to make that work? I've cross-posted this on *.webservices. Many thanks, I look forward to your replies. Russell Lane rl***@elizacorp.com best practice is to never give more security access than required. if only
the bi layer needs access to sqlserver, than only the bi layer should have access. in asp.net (on 2003), there are several options for controling the request thread security set impersonation=false set in web config 1) default - use the asp.net service account 2) specify app pool for the website, and asp.net will use its creditials set impersonation=true set in web config 1) specify a user name and password in web config - asp.net will use the specified login. 2) no username specified, asp.net will use iis assigned identity for request - will either be iis service acct if anon, or users authenicated account if not. to forward these creditials to a network resource that is on another server will requiire basic authentication or Kerberos with delation enabled. -- bruce (sqlwork.com) Show quoteHide quote "russell.lane" <russell.lane@nospam.nospam> wrote in message news:%23zRpUuFGGHA.2680@TK2MSFTNGP09.phx.gbl... > I'm building out a pretty standard n-tier ASP.Net web application. The > stack > includes application/presentation, biz logic, and data access layers on > top > of an SQL server back end. > > We want to use impersonation and delegation to forward the user's Windows > login through all layers in the stack. To support this, I'm setting up a > set of domain accounts which we will use to create SPNs for the various > services > in the various layers. > > At this point, I'm trying to figure out how many, and what, domain > accounts > I need to use in creating the SPNs. Is there a best practice paper on > this? > > I do have one very specific question: > > It's not clear to me that, for our purposes, there's any need to establish > different domain accounts for the business logic and data access layers. > Can I create one account for both of these layers and create SPNs for both > business logic and data access layers using the same domain account? > > For example -- assume I've created an account called "websvc". Also > assume > that business logic services run on server1 and data access services run > on > server2. Both services run on their respective hosts in dedicated > application pools that run under the "websvc" account. > > Can I do this: > > setspn -A HTTP/server1 mydomain\websvc > setspn -A HTTP/server1.mydomain.com mydomain\websvc > > AND this: > > setspn -A HTTP/server2 mydomain\websvc > setspn -A HTTP/server2.mydomain.com mydomain\websvc > > and, if I do that, will the business logic layer be able to delegate to > the > data access layer? Do I have to add "websvc" to it's own list of accounts > that it can delegate to to make that work? > > I've cross-posted this on *.webservices. > > Many thanks, I look forward to your replies. > > Russell Lane > rl***@elizacorp.com > >  
Other interesting topics
Deriving from MembershipUser and ASPNET Config Tool
ASP.net and thread safety MSWord DataGrid, Edit and the Enter Key Asp.net 2.0 caching and images ASP.NET Embedded Resources Dot Net or Javascript problem??? sending email Very Strange Problem! (Derived Controls) - Help! Architectural assistance needed! |
|||||||||||||||||||||||
