Impersonation and double hop

[Glenn Thimmes]

Hello,



I need a little advice in figuring out the right solution for a problem that
I am facing. I have a 3 tier application. Client, Web Service middle layer,
and SQL Server. I have been using a trusted account to get from the WS to
SQL, but now I have new requirements for getting user credentials all the
way to SQL Server. I was under the impression that by passing the user login
name and password to the middle layer, it could impersonate the user and do
a single hop to the SQL Server machine.



Unfortunately, this appears to still be a double hop scenario, even though
the middle layer has the username and password required for the domain
account. Is this correct?



And if that is the case, I suppose my only solution is to use Kerberos
delegation, which I am concerned that a highly competent and security
obsessed IT staff will refuse to set up for us during an onsite customer
implementation.



Am I missing any pieces to the puzzle? Any advice would be appreciated.



Thanks,



Glenn

 

[Joe Kaplan]

What type of authentication are you using in IIS with your web services?
Are you using basic or IWA?

Joe K.

 

[Glenn Thimmes]

Actually we are using Anonymous and requiring that domain username and
password is provided from the client to the server so that this
impersonation can be done for the second hop.

I have found the solution to this problem from another post in this group.
The problem was that my call to LogonUser was not generating network
credentials. I was using LOGON32_LOGON_NETWORK, this type of logon doesn't
have network credentials. I switched to LOGON32_LOGON_NETWORK_CLEARTEXT.

This fixed my problem.

-Glenn

 

[Joe Kaplan]

Glad you fixed it. I couldn't tell from your original post how you were
actually getting the security context for the user to impersonate, so that's
what I was driving at. Had I known you were using LogonUser, I would have
recommended that first.

Regarding delegation vs. the approach you are using now, I think the
argument there is that your current solution requires that the user provides
their plaintext password to your service. If the web services tier used IWA
auth, then this would not be true, but you would need kerberos delegation.
So, it is a balancing act for the security guys to decide which is less
heinous. Kerberos delegation when used in constrained mode is not really
very scary at all, especially if the highly privileged accounts in the
forest are marked as "sensitive and cannot be delegated".

However, the tier that is doing the web service client calls may not be
capable of doing IWA auth, so that whole point might be moot.

Best of luck!

Joe K.