Q

Implementing system/account delegation within an application built using ASP.NET

Is there a way to implement system/account delegation within an application built using ASP.NET in a secure fashion that consists of a multi-tier application architecture (IIS and application not on the same server)?

A multi-tier application (client; Web server application, business rules, database perhaps on multiple computers) can be built which allows you to have accountability throughout. That is, you can record in audit records the user account that accessed the data (or as Microsoft says "flow and authenticated identity across multiple tiers"). This is not possible in all situations and must be carefully configured to ensure a secure installation...

and application operation. It is possible because Kerberos has delegation. In Kerberos the authentication credentials can be delegated to the use of the application and can be used to access remote data in the security context of the original user if the user account and computer are configured to allow this and the application is written to do so.

Windows 2000 or Windows Server 2003 are necessary and Windows Server 2003 is recommend. Since it provides protocol transition (the Web client does not have to be able to use Kerberos, just the servers), delegation can be constrained (limited to specific services such as database access). A number of white papers and other documents can help you both understand the process and provide examples. These will help you get started. How to implement Kerberos Delegation for WIndowsWindows 2000 and Microsoft Windows Server 2003: Kerberos Protocol Transition and Constrained Delegation.

This was first published in September 2004

Dig deeper on User passwords and network permissions

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close