You need to configure constrained delegation at the AD level for the account running the web server and grant it access to the other server it's allowed to talk to. And then yes, in the app you need to impersonate but you should not do it via config -- you
should write the explicit code to impersonate like this:
public void DoWorkWithClientCreds()
{
// grab client identity
WindowsIdentity id =
(WindowsIdentity)Context.User.Identity;
// impersonation is automaticall undone by
// WindowsImpersonationContext.Dispose
using (WindowsImpersonationContext wic = id.Impersonate())
{
using (SqlConnection con = new SqlConnection(
"data source=BackEnd...;Integrated Security=SSPI"))
{
// access remote sql server
// client identity flows off the box
}
}
}
BrockAllen
All-Star
27434 Points
4891 Posts
MVP
Re: Full Windows authentication on 3 tiers (client - web server - Sql server)
Apr 12, 2012 02:12 PM|LINK
You need to configure constrained delegation at the AD level for the account running the web server and grant it access to the other server it's allowed to talk to. And then yes, in the app you need to impersonate but you should not do it via config -- you should write the explicit code to impersonate like this:
public void DoWorkWithClientCreds() { // grab client identity WindowsIdentity id = (WindowsIdentity)Context.User.Identity; // impersonation is automaticall undone by // WindowsImpersonationContext.Dispose using (WindowsImpersonationContext wic = id.Impersonate()) { using (SqlConnection con = new SqlConnection( "data source=BackEnd...;Integrated Security=SSPI")) { // access remote sql server // client identity flows off the box } } }DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/