OdeToCode IC Logo

Roadmap To Delegation

Friday, February 25, 2005

One of the thorny areas in writing a distributed application is keeping the logical thread of execution authenticated and authorized as calls hop from server to server. If you want to flow the original client’s identity across these servers you’ll quickly run into the “single network hop” restriction of NTLM (sometimes called the “double hop” issue). A client’s identity can only make a single hop. The first hop happens from the web browser to the web server. The web server can impersonate the client when accessing local resources, but it make a second hop to a third machine. Larry Osterman has details on this behavior.

The single hop issue turns up a lot these days as more products (Reporting Services, SharePoint) rely on Windows authentication, but we rarely see these applications on the same server as our ASP.NET applications.

One solution to the problem is the trusted subsystem model. However, the trusted subsystem model does not flow the original client’s identity automatically, and it becomes your application’s responsibility to perform authorization checks. Tricky.

Another solution is to use Kerberos delegation. If you want to enlighten yourself on the subject, I’d recommend the following roadmap.

Start with David Chappell’s “Exploring Kerberos, the Protocol for Distributed Security in Windows 2000”, and chase this article with Keith Brown’s “Exploring S4U Kerberos Extensions in Windows Server 2003”.

The next step is to watch delegation in action. A two part webcast walks through every detail of setting up delegation in a typical ASP.NET application environment: “Getting Delegation to Work with IIS and ASP.NET: The Ins and Outs of Protocol Transition” (Part 1 and Part 2).

At this point it’s time to take the IT department out to lunch, or perhaps send fruit baskets to their house. You’ll need their sign-off and support to pull it all off.

Two documents that can help during the implementation phase are “HOW TO: Configure an ASP.NET Application for a Delegation Scenario” and “Troubleshooting Kerberos Delegation”.

Just imagine how popular you’ll be at the next neighborhood social event if you can hang out at the punch bowl and explain the nuances of S4U2Self and S4U2Proxy.

Darrell Friday, February 25, 2005
Yeah, I went through the pain of implementing delegation using Kerberos back in the day. There is soooo much more info now. The funny thing is, once you get it working and figure it out, it's like, "Oh, that wasn't *that* hard." :)
roy Saturday, February 26, 2005
I'm *just* starting to feel that pain. I'm gonna be implementing Kerberos delegation on Monday. It's for Reporting Services. I've created a custom ASP.NET "web page" ... now to create the multiple environments (e.g. devel, testing, production...)
<br>Btw Scott, I've read all your articles on Reporting Services. They've helped me create a whole bunch of nice methods and a custom web control. Thanks!
<br>Do get around the multiple environment deployments, I just create a top level folder (myproject) in report manager, and then inside it I would create more folders with the nomenclature of (myproject-devel, myproject-test...). In each of these subfolder, I create a datasource that called (myproject-datasource) that is changed only inside the folder scope. Therefore, I have 9 identical reports in 4 environments, but 4 datasource of the same name but pointing to different databases. Cheesy but simple and it works.
<br>Sorry for babbling on your blog!! Again. Your articles and links are very helpful. Keep it up! :-)
Scott Saturday, February 26, 2005
Thanks Roy, it's always nice to hear that someone can make sense of my writing and turn it into something useful :)
<br>The multiple environment solution you came up with sounds pretty good. Any solution you can describe in 2 sentences is simple and effective!
Comments are closed.