aspnet2securityfaq0022

Cancel Edit [WikiEntry.PreviewButtonText] Save
Return to HomePage


Question: How Do I flow the original caller to different layers?

Answer:

Use Kerberos delegation to flow the original caller identity to a backend resource either for per-user authorization or to use operating system auditing.
To use Kerberos authentication:
* All computers must be in the same Active Directory forest or in domains in separate forests with trust relationships.
* You must configure the Web server or application server machine accounts in Active Directory for delegation. Alternatively, if your ASP.NET application runs under a specific custom domain account, you can configure the domain account for delegation.
* IIS must be configured for Windows authentication, or for certificate authentication with certificate mapping.
* You must enable impersonation in your applications Web.config (see "How to impersonate the original caller").

You should use Windows Server 2003 constrained delegation to restrict which server and which service the impersonated account can access.
To use constrained delegation:
  1. On the domain controller, run the Active Directory Users and Computers MMC snap in from Administrative Tools.
  2. In the left-hand pane, click on the root node titled Active Directory User and Computers machinename.domain.
  3. Select Action | All Tasks | Raise Domain Functional Level from the menu bar.
  4. Select Windows Server 2003 in the Select an available domain functional level dropdown box.
  5. Configure the Web server machine account to be trusted for constrained delegation to the Application server.
  6. In the left-hand pane of the Active Directory Users and Computers MMC snap in, click on the Computers node.
  7. In the right-hand pane, double-click the WEB computer.
  8. On the Delegation tab, select Trust this computer for delegation to specified services only (constrained delegation).
  9. Click Add.
  10. In the Add services dialog, click Users or computers.
  11. In the Select Users or Computers dialog, enter the name of the Application server and click OK.
  12. In the Add services dialog, you will now see all the available services on the WEB server. Select the HTTP service and click OK.


Return to HomePage
Cancel Edit [WikiEntry.PreviewButtonText] Save
Microsoft Communities