R
russell.lane
I'm building out a pretty standard n-tier ASP.Net web application. The
stack
includes application/presentation, biz logic, and data access layers on top
of an SQL server back end.
We want to use impersonation and delegation to forward the user's Windows
login through all layers in the stack. To support this, I'm setting up a
set of domain accounts which we will use to create SPNs for the various
services
in the various layers.
At this point, I'm trying to figure out how many, and what, domain accounts
I need to use in creating the SPNs. Is there a best practice paper on this?
I do have one very specific question:
It's not clear to me that, for our purposes, there's any need to establish
different domain accounts for the business logic and data access layers.
Can I create one account for both of these layers and create SPNs for both
business logic and data access layers using the same domain account?
For example -- assume I've created an account called "websvc". Also assume
that business logic services run on server1 and data access services run on
server2. Both services run on their respective hosts in dedicated
application pools that run under the "websvc" account.
Can I do this:
setspn -A HTTP/server1 mydomain\websvc
setspn -A HTTP/server1.mydomain.com mydomain\websvc
AND this:
setspn -A HTTP/server2 mydomain\websvc
setspn -A HTTP/server2.mydomain.com mydomain\websvc
and, if I do that, will the business logic layer be able to delegate to the
data access layer? Do I have to add "websvc" to it's own list of accounts
that it can delegate to to make that work?
I've cross-posted this on *.webservices.
Many thanks, I look forward to your replies.
Russell Lane
(e-mail address removed)
stack
includes application/presentation, biz logic, and data access layers on top
of an SQL server back end.
We want to use impersonation and delegation to forward the user's Windows
login through all layers in the stack. To support this, I'm setting up a
set of domain accounts which we will use to create SPNs for the various
services
in the various layers.
At this point, I'm trying to figure out how many, and what, domain accounts
I need to use in creating the SPNs. Is there a best practice paper on this?
I do have one very specific question:
It's not clear to me that, for our purposes, there's any need to establish
different domain accounts for the business logic and data access layers.
Can I create one account for both of these layers and create SPNs for both
business logic and data access layers using the same domain account?
For example -- assume I've created an account called "websvc". Also assume
that business logic services run on server1 and data access services run on
server2. Both services run on their respective hosts in dedicated
application pools that run under the "websvc" account.
Can I do this:
setspn -A HTTP/server1 mydomain\websvc
setspn -A HTTP/server1.mydomain.com mydomain\websvc
AND this:
setspn -A HTTP/server2 mydomain\websvc
setspn -A HTTP/server2.mydomain.com mydomain\websvc
and, if I do that, will the business logic layer be able to delegate to the
data access layer? Do I have to add "websvc" to it's own list of accounts
that it can delegate to to make that work?
I've cross-posted this on *.webservices.
Many thanks, I look forward to your replies.
Russell Lane
(e-mail address removed)