W
William F. Robertson, Jr.
On page:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/thcmch19.asp
Microsoft discusses the drawbacks of impersonating the original caller.
I am especially concerned about the 1 drawback...
"Application scalability is reduced because database connections cannot be
effectively pooled."
Is this only if using integrated authentication, or if using connection
strings does database pooling still happen?
Any thoughts would be highly appreciated...
bill
Impersonating the Original Caller
To impersonate the original caller, use the following configuration:
<identity impersonate="true" />
The impersonation uses the access token provided by IIS that represents the
authenticated caller. This may be the anonymous Internet user account, for
example, if your application uses Forms authentication, or it may be a
Windows account that represents the original caller, if your application
uses Windows authentication.
If you do enable original caller impersonation, note the following issues:
a.. Application scalability is reduced because database connections cannot
be effectively pooled.
b.. Administration effort increases as ACLs on back-end resources need to
be configured for individual users.
c.. Delegation requires Kerberos authentication and a suitably configured
Windows 2000 environment.
For more information, see "How To: Implement Kerberos Delegation for Windows
2000" in the "How To" section of "Microsoft patterns & practices Volume I,
Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication" at
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT05.asp.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/thcmch19.asp
Microsoft discusses the drawbacks of impersonating the original caller.
I am especially concerned about the 1 drawback...
"Application scalability is reduced because database connections cannot be
effectively pooled."
Is this only if using integrated authentication, or if using connection
strings does database pooling still happen?
Any thoughts would be highly appreciated...
bill
Impersonating the Original Caller
To impersonate the original caller, use the following configuration:
<identity impersonate="true" />
The impersonation uses the access token provided by IIS that represents the
authenticated caller. This may be the anonymous Internet user account, for
example, if your application uses Forms authentication, or it may be a
Windows account that represents the original caller, if your application
uses Windows authentication.
If you do enable original caller impersonation, note the following issues:
a.. Application scalability is reduced because database connections cannot
be effectively pooled.
b.. Administration effort increases as ACLs on back-end resources need to
be configured for individual users.
c.. Delegation requires Kerberos authentication and a suitably configured
Windows 2000 environment.
For more information, see "How To: Implement Kerberos Delegation for Windows
2000" in the "How To" section of "Microsoft patterns & practices Volume I,
Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication" at
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT05.asp.