Question - How do I flow the original user identity to different layers

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

Applies to

ASP.NET 2.0

Answer:

Use Kerberos delegation to flow the original caller identity to a backend resource either for per-user authorization or to use operating system auditing.

To use Kerberos authentication

All computers must be in the same Active Directory forest or in domains in separate forests with trust relationships.
You must configure the Web server or application server machine accounts in Active Directory for delegation. Alternatively, if your ASP.NET application runs under a specific custom domain account, you can configure the domain account for delegation.
IIS must be configured for Windows authentication, or for certificate authentication with certificate mapping.
You must enable impersonation in your applications Web.config (see "How to impersonate the original caller").

You should use Windows Server 2003 constrained delegation to restrict which server and which service the impersonated account can access.

To use constrained delegation

On the domain controller, run the Active Directory Users and Computers MMC snap in from Administrative Tools.
In the left-hand pane, click on the root node titled Active Directory User and Computers [machinename.domain].
Select Action | All Tasks | Raise Domain Functional Level from the menu bar.
Select Windows Server 2003 in the Select an available domain functional level dropdown box.
Configure the Web server machine account to be trusted for constrained delegation to the Application server.
In the left-hand pane of the Active Directory Users and Computers MMC snap in, click on the Computers node.
In the right-hand pane, double-click the WEB computer.
On the Delegation tab, select Trust this computer for delegation to specified services only (constrained delegation).
Click Add.
In the Add services dialog, click Users or computers.
In the Select Users or Computers dialog, enter the name of the Application server and click OK.
In the Add services dialog, you will now see all the available services on the WEB server. Select the HTTP service and click OK.

Additional Resources

For more information on how to use constrained delegation, see "How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0" at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000024.asp

Attributes

Author: J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

Category: Impersonation and Delegation

filePath: ..\Libraries\patterns & practices Library\faq\895b79b1-df2d-4fa1-96dd-c6427195b014.xml

Pri: 2

Rule Type: Implementation

Source: patterns & practices Library

Status: Release

Technology: ASP.NET 2.0

Title: Question - How do I flow the original user identity to different layers

Topic: Security

Type: Question and Answer

ID: 895b79b1-df2d-4fa1-96dd-c6427195b014