Roadmap To Delegation

One of the thorny areas in writing a distributed application is keeping the logical thread of execution authenticated and authorized as calls hop from server to server. If you want to flow the original client’s identity across these servers you’ll quickly run into the “single network hop” restriction of NTLM (sometimes called the “double hop” issue). A client’s identity can only make a single hop. The first hop happens from the web browser to the web server. The web server can impersonate the client when accessing local resources, but it make a second hop to a third machine. Larry Osterman has details on this behavior.

The single hop issue turns up a lot these days as more products (Reporting Services, SharePoint) rely on Windows authentication, but we rarely see these applications on the same server as our ASP.NET applications.

One solution to the problem is the trusted subsystem model. However, the trusted subsystem model does not flow the original client’s identity automatically, and it becomes your application’s responsibility to perform authorization checks. Tricky.

Another solution is to use Kerberos delegation. If you want to enlighten yourself on the subject, I’d recommend the following roadmap.

Start with David Chappell’s “Exploring Kerberos, the Protocol for Distributed Security in Windows 2000”, and chase this article with Keith Brown’s “Exploring S4U Kerberos Extensions in Windows Server 2003”.

The next step is to watch delegation in action. A two part webcast walks through every detail of setting up delegation in a typical ASP.NET application environment: “Getting Delegation to Work with IIS and ASP.NET: The Ins and Outs of Protocol Transition” (Part 1 and Part 2).

At this point it’s time to take the IT department out to lunch, or perhaps send fruit baskets to their house. You’ll need their sign-off and support to pull it all off.

Two documents that can help during the implementation phase are “HOW TO: Configure an ASP.NET Application for a Delegation Scenario” and “Troubleshooting Kerberos Delegation”.

Just imagine how popular you’ll be at the next neighborhood social event if you can hang out at the punch bowl and explain the nuances of S4U2Self and S4U2Proxy.