Hello,



I need a little advice in figuring out the right solution for a problem that 
I am facing. I have a 3 tier application. Client, Web Service middle layer, 
and SQL Server. I have been using a trusted account to get from the WS to 
SQL, but now I have new requirements for getting user credentials all the 
way to SQL Server. I was under the impression that by passing the user login 
name and password to the middle layer, it could impersonate the user and do 
a single hop to the SQL Server machine.



Unfortunately, this appears to still be a double hop scenario, even though 
the middle layer has the username and password required for the domain 
account. Is this correct?



And if that is the case, I suppose my only solution is to use Kerberos 
delegation, which I am concerned that a highly competent and security 
obsessed IT staff will refuse to set up for us during an onsite customer 
implementation.



Am I missing any pieces to the puzzle? Any advice would be appreciated.



Thanks,



Glenn

What type of authentication are you using in IIS with your web services? 
Are you using basic or IWA?

Joe K.

-- 
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Glenn Thimmes"  wrote in message 
news:e3d64nXvHHA.3364@TK2MSFTNGP02.phx.gbl...

> Hello,
>
>
>
> I need a little advice in figuring out the right solution for a problem 
> that I am facing. I have a 3 tier application. Client, Web Service middle 
> layer, and SQL Server. I have been using a trusted account to get from the 
> WS to SQL, but now I have new requirements for getting user credentials 
> all the way to SQL Server. I was under the impression that by passing the 
> user login name and password to the middle layer, it could impersonate the 
> user and do a single hop to the SQL Server machine.
>
>
>
> Unfortunately, this appears to still be a double hop scenario, even though 
> the middle layer has the username and password required for the domain 
> account. Is this correct?
>
>
>
> And if that is the case, I suppose my only solution is to use Kerberos 
> delegation, which I am concerned that a highly competent and security 
> obsessed IT staff will refuse to set up for us during an onsite customer 
> implementation.
>
>
>
> Am I missing any pieces to the puzzle? Any advice would be appreciated.
>
>
>
> Thanks,
>
>
>
> Glenn
>
> 

Actually we are using Anonymous and requiring that domain username and 
password is provided from the client to the server so that this 
impersonation can be done for the second hop.

I have  found the solution to this problem from another post in this group. 
The problem was that my call to LogonUser was not generating network 
credentials. I was using LOGON32_LOGON_NETWORK, this type of logon doesn't 
have network credentials. I switched to LOGON32_LOGON_NETWORK_CLEARTEXT.

This fixed my problem.

-Glenn

"Joe Kaplan"  wrote in message 
news:uHW08WYvHHA.784@TK2MSFTNGP05.phx.gbl...

> What type of authentication are you using in IIS with your web services? 
> Are you using basic or IWA?
>
> Joe K.
>
> -- 
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services 
> Programming"
> http://www.directoryprogramming.net
> --
> "Glenn Thimmes"  wrote in message 
> news:e3d64nXvHHA.3364@TK2MSFTNGP02.phx.gbl...
>> Hello,
>>
>>
>>
>> I need a little advice in figuring out the right solution for a problem 
>> that I am facing. I have a 3 tier application. Client, Web Service middle 
>> layer, and SQL Server. I have been using a trusted account to get from 
>> the WS to SQL, but now I have new requirements for getting user 
>> credentials all the way to SQL Server. I was under the impression that by 
>> passing the user login name and password to the middle layer, it could 
>> impersonate the user and do a single hop to the SQL Server machine.
>>
>>
>>
>> Unfortunately, this appears to still be a double hop scenario, even 
>> though the middle layer has the username and password required for the 
>> domain account. Is this correct?
>>
>>
>>
>> And if that is the case, I suppose my only solution is to use Kerberos 
>> delegation, which I am concerned that a highly competent and security 
>> obsessed IT staff will refuse to set up for us during an onsite customer 
>> implementation.
>>
>>
>>
>> Am I missing any pieces to the puzzle? Any advice would be appreciated.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Glenn
>>
>>
>
> 

Glad you fixed it.  I couldn't tell from your original post how you were 
actually getting the security context for the user to impersonate, so that's 
what I was driving at.  Had I known you were using LogonUser, I would have 
recommended that first.  :)

Regarding delegation vs. the approach you are using now, I think the 
argument there is that your current solution requires that the user provides 
their plaintext password to your service.  If the web services tier used IWA 
auth, then this would not be true, but you would need kerberos delegation. 
So, it is a balancing act for the security guys to decide which is less 
heinous.  Kerberos delegation when used in constrained mode is not really 
very scary at all, especially if the highly privileged accounts in the 
forest are marked as "sensitive and cannot be delegated".

However, the tier that is doing the web service client calls may not be 
capable of doing IWA auth, so that whole point might be moot.

Best of luck!

Joe K.

-- 
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Glenn Thimmes"  wrote in message 
news:eAFIR0YvHHA.4532@TK2MSFTNGP02.phx.gbl...

> Actually we are using Anonymous and requiring that domain username and 
> password is provided from the client to the server so that this 
> impersonation can be done for the second hop.
>
> I have  found the solution to this problem from another post in this 
> group. The problem was that my call to LogonUser was not generating 
> network credentials. I was using LOGON32_LOGON_NETWORK, this type of logon 
> doesn't have network credentials. I switched to 
> LOGON32_LOGON_NETWORK_CLEARTEXT.
>
> This fixed my problem.
>
> -Glenn
>
> "Joe Kaplan"  wrote in message 
> news:uHW08WYvHHA.784@TK2MSFTNGP05.phx.gbl...
>> What type of authentication are you using in IIS with your web services? 
>> Are you using basic or IWA?
>>
>> Joe K.
>>
>> -- 
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services 
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "Glenn Thimmes"  wrote in message 
>> news:e3d64nXvHHA.3364@TK2MSFTNGP02.phx.gbl...
>>> Hello,
>>>
>>>
>>>
>>> I need a little advice in figuring out the right solution for a problem 
>>> that I am facing. I have a 3 tier application. Client, Web Service 
>>> middle layer, and SQL Server. I have been using a trusted account to get 
>>> from the WS to SQL, but now I have new requirements for getting user 
>>> credentials all the way to SQL Server. I was under the impression that 
>>> by passing the user login name and password to the middle layer, it 
>>> could impersonate the user and do a single hop to the SQL Server 
>>> machine.
>>>
>>>
>>>
>>> Unfortunately, this appears to still be a double hop scenario, even 
>>> though the middle layer has the username and password required for the 
>>> domain account. Is this correct?
>>>
>>>
>>>
>>> And if that is the case, I suppose my only solution is to use Kerberos 
>>> delegation, which I am concerned that a highly competent and security 
>>> obsessed IT staff will refuse to set up for us during an onsite customer 
>>> implementation.
>>>
>>>
>>>
>>> Am I missing any pieces to the puzzle? Any advice would be appreciated.
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Glenn
>>>
>>>
>>
>>
>
>