ASP.NET Impersonation & Delegation

[Brian]

I have read various articles regarding explaining ASP.Net
security model. I have one simple question regarding
Delegation that i can't seemed to get answered:

I have a web service that opens a file on another server
and reads the contents.

If I set an IIS application to Anoymous which uses a
domain account, I also set-up Impersonate = True in
web.config, do I need to turn on Kerebos Delegation for
the web server or the other server?

My understanding is that the ASP.NET will impersonate the
Domain account and since IIS knows the password it passes
it successfully to the other server which also receives
the credentials. However,if another hop was involved,
delegation would be required.

[Jim Cheshire [MSFT]]

Brian,

In order to avoid misinformation, let me restate my understanding of your
question:

* Your ASP.NET Web Serivce is accessing a file on a remote machine.
* You are using Anonymous access in IIS and the anonymous user is
specified by you as a domain account.
* You have non-user-specific impersonation turned on in the web.config.

You are then asking if you need to use Kerberos in this scenario. The
answer is no. In this scenario, there is no delegation of credentials
taking place.

Jim Cheshire, MCSE, MCSD [MSFT]
Microsoft Developer Support
ASP.NET
[email]jamesche@online.microsoft.com[/email]

This post is provided as-is with no warranties and confers no rights.

--------------------

>Content-Class: urn:content-classes:message
>From: "Brian" <brian@nospam.net>
>Sender: "Brian" <brian@nospam.net>
>Subject: ASP.NET Impersonation & Delegation
>Date: Wed, 31 Dec 2003 12:05:16 -0800
>Lines: 17
>Message-ID: <00df01c3cfd9$68b4ad30$a501280a@phx.gbl>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Thread-Index: AcPP2WiyMkCSAZYaRBOvme9Q1J2NKA==
>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Path: cpmsftngxa07.phx.gbl
>Xref: cpmsftngxa07.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 8092

>NNTP-Posting-Host: tk2msftngxa13.phx.gbl 10.40.1.165
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I have read various articles regarding explaining ASP.Net
>security model. I have one simple question regarding
>Delegation that i can't seemed to get answered:
>
>I have a web service that opens a file on another server
>and reads the contents.
>
>If I set an IIS application to Anoymous which uses a
>domain account, I also set-up Impersonate = True in
>web.config, do I need to turn on Kerebos Delegation for
>the web server or the other server?
>
>My understanding is that the ASP.NET will impersonate the
>Domain account and since IIS knows the password it passes
>it successfully to the other server which also receives
>the credentials. However,if another hop was involved,
>delegation would be required.
>