Sunday, September 11, 2005

Constrained Delegation

Sometime ago, our vendor is developing an ASP.Net application which requires it to create and store XML files in a folder. The XML file will capture the domain’s user name of the user.

During the development phase, they worked on a single server with IIS 6 and SQL 2000. In order to capture the domain’s user name, the website authentication method was set to “Windows Integrated Authentication”. The folder that stored the XML files was also on the same development server. The testing phase went well on the development server and it is time to move on to the production servers.

The production environment is quite different where there are two web servers running IIS 6 and are load balance using Microsoft NLB. At the backend, there is a 2-nodes clustered SQL 2000 server (single instance) and the folder that stores the XML files is on the SQL server.

The vendor moved their web application to the production server and it breaks. When the web application tried to save the XML file on the shared folder via UNC path, access was denied. We have verified that Shared and NTFS permissions were set correctly on the folder. From the user’s computer, we were able to access the shared folder and create file. So this lead us to believe that the web server is not using the user’s credential to create file on the SQL server.

The answer to this is “User Delegation and Constrained Delegation”. Basically, when the resource content is stored remotely (not on the IIS 6 web server), the user’s credential was not pass to the remote server when the request was challenged by the remote server. We need to enable constrained delegation on both the web servers so that user’s credential can be passed to the remote server.

When I was about to enable constrained delegation, I noticed that there was no computer account for the virtual name of the clustered SQL server. The solution to this was found in Q235529. If the OS of the SQL server was Windows 2003, it will be easier.

With all those changes, the web application finally works. However, there is a concern that user might access the shared folder directly (although it is a hidden share) and modify those XML files. There are many approaches to this and we choose to use COM+ to handle the request from the web application.

No comments: