William Cook
Top achievements
Rank 1
Rank 1
William Cook
asked on 03 Feb 2010, 09:49 PM
Hi,
I have a custom MOSS 2007 web part which uses a RadGrid bound to a LinqDataSource hitting a SQL DB. Everything works fine when running MOSS and SQL on the same machine, but when moving the webpart to an environment where those services reside on separate machines I run into the usual 'double-hop' issue. User on machine A authenticates to MOSS machine B; on machine B the web.config is set to impersonate; but those impersonated credentials cannot be sent to the last hop to SQL machine C.
I don't think I can get away with changing the impersonation account on the entire web application's web.config (web app is used for many, many other things than this one web part). I also don't believe getting Kerberos set up between the MOSS machine B and the SQL machine C would be acceptable for the target environment, but I'm investigating that approach just in case.
Suggestions on how this would typically be done? Best approach I've come up with so far is to:
1. Create a domain account login.
2. Grant that domain login the appropriate access on the SQL box.
3. Edit the DataClasses.designer.cs file to intercept the Get method for the table and wrap the 'return this.GetTable<tablename>();' with additional code to read in an encrypted username / password from the web.config, use them to impersonate the domain account, make the call, and then undo the impersonation.
Note that this requires editing an auto-generated file, which means having to deal with preventing re-generation so I don't lose the chnages, etc.
Any better approaches out there?
Thanks,
William
I have a custom MOSS 2007 web part which uses a RadGrid bound to a LinqDataSource hitting a SQL DB. Everything works fine when running MOSS and SQL on the same machine, but when moving the webpart to an environment where those services reside on separate machines I run into the usual 'double-hop' issue. User on machine A authenticates to MOSS machine B; on machine B the web.config is set to impersonate; but those impersonated credentials cannot be sent to the last hop to SQL machine C.
I don't think I can get away with changing the impersonation account on the entire web application's web.config (web app is used for many, many other things than this one web part). I also don't believe getting Kerberos set up between the MOSS machine B and the SQL machine C would be acceptable for the target environment, but I'm investigating that approach just in case.
Suggestions on how this would typically be done? Best approach I've come up with so far is to:
1. Create a domain account login.
2. Grant that domain login the appropriate access on the SQL box.
3. Edit the DataClasses.designer.cs file to intercept the Get method for the table and wrap the 'return this.GetTable<tablename>();' with additional code to read in an encrypted username / password from the web.config, use them to impersonate the domain account, make the call, and then undo the impersonation.
Note that this requires editing an auto-generated file, which means having to deal with preventing re-generation so I don't lose the chnages, etc.
Any better approaches out there?
Thanks,
William
1 Answer, 1 is accepted
0
Hi William,
Tsvetoslav
the Telerik team
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Follow the status of features or bugs in PITS and vote for them to affect their priority.
The doulbe-hop problem is due to the fact that on Windows networks, impersonated credentials can't be used to access network resources - this prevents a web-server from maliciously or accidently using the credentials of a user who innocently logged on to it to access protected network resources. Therefore, it is not related to the RadControls.
Still your solution seems valid and viable. As for the auto-generated desginer code, you can take advantage of all the classes being partial which means that you can add your custom code in a separated file which will not be touched by the code auto-generation process.
I hope this helps.
Best wishes,Tsvetoslav
the Telerik team
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Follow the status of features or bugs in PITS and vote for them to affect their priority.