Is Delegation Necessary?

[headware]

My ASP.NET app needs to access an Excel file sitting on another
computer on a the network using ADO.NET. I've tried this using just
impersonation and it seems to work fine but everything I read says
that accessing network resources requires delegation. Is that
necessary in this case? If so, why is this working?

Thanks,
Dave

 

[Gregory A. Beamer]

My ASP.NET app needs to access an Excel file sitting on another
computer on a the network using ADO.NET. I've tried this using just
impersonation and it seems to work fine but everything I read says
that accessing network resources requires delegation. Is that
necessary in this case? If so, why is this working?

Thanks,
Dave

FYI: There is a certain amount of "delegation" involved in impersonation,
although it is under the hood. ;-)

BTW, is this drive mapped or are you using a UNC path? Just curious.

 

[headware]

FYI: There is a certain amount of "delegation" involved in impersonation,
although it is under the hood. ;-)

BTW, is this drive mapped or are you using a UNC path? Just curious.

It's a UNC path to a share on another box.

 

[headware]

Because it's not necessary in this case...

Would you please explain why it's not required in this case?

 

[Gregory A. Beamer]

It's a UNC path to a share on another box.

If it is working, I would roll with it. It is not the "best" solution, but
I have read nothing that convinces me it is a horrible option that you
should not use.

Note, however, if the network admins lock down security, it could fail.
This is a risk with any external resource you are linked to, UNC or mapped.

 

[Larry Smith]

My ASP.NET app needs to access an Excel file sitting on another
computer on a the network using ADO.NET. I've tried this using just
impersonation and it seems to work fine but everything I read says
that accessing network resources requires delegation. Is that
necessary in this case?
No

If so, why is this working?

It's working because delegation means allowing the *remote* machine to
access network resources. You can access the remote machine with your Excel
file IOW (which involves its own authentication - long story) but that
machine can't turn around and access another machine unless you permitted
delegation in the first place (which is potentially very dangerous since the
remote machine then has your network credentials and can masquerade as you
on another machine which can do the same and so forth - each new machine
thinks it's you and so can cause damage in *your* name - your credentials
are also spread across all these machines - not good).

 

[headware]

I'm not quite sure how to answer your question - it's not required because
it's not required, in the same way that it's not required to use a web
service, or AJAX, or remoting, or <insert any particular technology you
like> to query an Excel file with ADO.NET.

Perhaps it might be simpler if you explain why you think it should be
required...?

Well, I've read in several places that it's required in order to
access network resources. Here are some examples:

From Microsoft:
http://msdn.microsoft.com/en-us/library/ms998351.aspx
"you can use impersonation to access local resources . . . Delegation
allows you to use an impersonation token to access network resources."

Non-Microsoft:
http://www.infosysblogs.com/microsoft/2009/02/impersonation_and_delegation_t.html
"In summary, impersonation is pretending to be someone else, other
than the process identity, and access local resources . . . delegation
is authentication across machine boundary on behalf of someone else."

I don't have a lot of experience with impersonation and delegation so
it's entirely possible that I'm misunderstanding this. If that's the
case, maybe you could give me an example of when it would be necessary
to use delegation and why impersonation wouldn't be sufficient.

Thanks,
Dave

 

[Larry Smith]

As an FYI, these issues really have nothing to do with ASP.NET whatsoever.
It's the Windows security model that's in control. If you understand how
that works, everything will be easily understood. The devil's in the details
of course but it's not nearly as complicated as people think. The real
problem is that there's virtually no documenation from MSFT that *clearly*
explains how this model works. Instead, get yourself the book "Programming
Windows Security" by Keith Brown. It was published many years ago but still
the most relevant book on the subject I've ever seen (and still applicable
to all professional versions of MSFT OSs). Spend the time to get through it
and you'll be glad you did. It will forever eliminate your security
problems.

 

[bruce barker]

with only two computers delegation is not required. its required when
you involve 3. a sends its credentials to b, and b tries to use these
credentials to access c. this is because c, has to trust b's
authentication of a.

as long as the web browser used in on the same computer as the web
server, no delegation (which requires kerberos) is needed. if you hit
your website from another computer, then delegtion will be required.

-- bruce (sqlwork.com)

 

[headware]

That article says that you *CAN* use impersonation to access local
resources - it doesn't say that you *HAVE TO*...

It further says that delegation allows you to use an impersonation token to
access network resources - IF YOU NEED ONE! In your case, you clearly
don't...

I'm trying to access a file on another computer over the network. You
don't consider that a network resource? Maybe this is a just a
definition issue.

I realize that impersonation and delegation are not required in every
situation, but there are cases where they are. Maybe if you gave an
example of a situation where delegation would be required and why, it
would help explain things better.

 

[headware]

As an FYI, these issues really have nothing to do with ASP.NET whatsoever..
It's the Windows security model that's in control. If you understand how
that works, everything will be easily understood. The devil's in the details
of course but it's not nearly as complicated as people think. The real
problem is that there's virtually no documenation from MSFT that *clearly*
explains how this model works. Instead, get yourself the book "Programming
Windows Security" by Keith Brown. It was published many years ago but still
the most relevant book on the subject I've ever seen (and still applicable
to all professional versions of MSFT OSs). Spend the time to get through it
and you'll be glad you did. It will forever eliminate your security
problems.

Thanks for the reference. Reading the topic list, it does cover a lot
of the things I'm interested in. Good cover art too. I found another
one called "The .NET Developer's Guide to Windows Security" that might
be worth a look as well. I really don't want to be a Windows admin but
this stuff does come up quite a bit especially with web apps. A
developer focused book would be ideal.

 

[headware]

Yes, it is a network resource, but it involves only two machines - the
machine that the browser is running on, and the webserver.


If a third machine were involved, then this would require delegation. The
first computer connects to the second computer via a standard network
connection - this doesn't require delegation. However, if the second
computer then tries to connect to a third computer using the credentials by
which the first computer accessed the second computer, then this would
require delegation because the third computer would need to trust the second
computer's authentication of the first computer.

Well, we finally got things to make sense. The three machine scenario
you mention above is exactly the scenario we were trying to test. A
web browser hitting a web server remotely over the network, which then
tries to access a file sitting on another box. At first we did not
have delegation enabled and we were not getting any errors which
didn't make sense. I later rewrote a smaller test web app from the
ground up and retried the scenario and started getting the errors I
was expecting. I'm not sure what I was doing wrong before, but things
make sense now.

All the test web app does is impersonate the user passed in from the
web browser and try to access a network resource. If I open up a
browser *on the web server* and hit the app, it works fine even if
kerberos is disabled. The network resource is accessible without
error. This is the two computer scenario. However, if I go to another
machine and browse to the web app from there (kerberos still disabled)
I get an error stating that it can't access the file. So that would be
the three computer scenario and, as expected, it does not work with
kerberos disabled. If we then enabled kerberos I can successfully hit
the web app from a computer other than the web server.

We found that kerberos didn't work unless you fully qualified the
server name in the url (http://server.domain). Not sure why.

So long story short, the world once again makes sense. Thanks to all
for the help.

Dave