Don’t Impersonate If You Don’t Have To

SSQA- You & SQL tools — Sun, 08 Apr 2007 20:44:52 GMT

Well not everyone will agree with me but you have to after referring to David LeBlanc's blog . Refer

re: Don’t Impersonate If You Don’t Have To

Kris — Sun, 08 Apr 2007 08:37:39 GMT

I have recently implemented Constrained Delegation for Web Services. We have a bunch of ASP.NET apps calling into these web services. Some are trivial web services and others are not, so we needed to pass the client context to the web services so that we know who exactly is accessing the service for audit purposes. I don't need the Client context because I am using trusted auth scheme to the down level servers from the web services. But I do need the client identity to be passed securely. We have in the past passed the client identity as part of the web method call but we decided against this now and began to look for constrained delegation to solve this problem for us. It works but is non-trivial to set it up.

Are there any alternatives to this (besides the trusted subsystem model)? Can Authz APIs help me in this scenario?

[dcl] AuthZ might help, but you need to be careful how you pass the identity so it can't be tampered with.

Thanks.

re: Don’t Impersonate If You Don’t Have To

Alik Levin — Sun, 08 Apr 2007 08:00:23 GMT

David!,

Great post on high level merits/demerits of passing identity over physical tiers.

I am posting short series on the same subject on my blog - so far covered impersonation and finished writing about Delegation and Protocol transition - will post tonight. I do not pretend to be a good book chapter but small hub for technical how-to's and further reading - it is all based on MSDN and patterns&practices stuff

here is the link http://blogs.msdn.com/alikl/archive/2007/04/06/identity-flow-through-physical-tiers-impersonation.aspx