Problem solve Get help with specific problems with your technologies, process and projects.

Implementing system/account delegation within an application built using ASP.NET

Is there a way to implement system/account delegation within an application built using ASP.NET in a secure fashion that consists of a multi-tier application architecture (IIS and application not on the same server)?

A multi-tier application (client; Web server application, business rules, database perhaps on multiple computers) can be built which allows you to have accountability throughout. That is, you can record in audit records the user account that accessed the data (or as Microsoft says "flow and authenticated identity across multiple tiers"). This is not possible in all situations and must be carefully configured to ensure a secure installation and application operation. It is possible because Kerberos has delegation. In Kerberos the authentication credentials can be delegated to the use of the application and can be used to access remote data in the security context of the original user if the user account and computer are configured to allow this and the application is written to do so.

Windows 2000 or Windows Server 2003 are necessary and Windows Server 2003 is recommend. Since it provides protocol transition (the Web client does not have to be able to use Kerberos, just the servers), delegation can be constrained (limited to specific services such as database access). A number of white papers and other documents can help you both understand the process and provide examples. These will help you get started. How to implement Kerberos Delegation for WIndowsWindows 2000 and Microsoft Windows Server 2003: Kerberos Protocol Transition and Constrained Delegation.

This was last published in September 2004

Dig Deeper on User passwords and network permissions

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.